@lucern/events 0.3.0-alpha.9 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.js CHANGED
@@ -26,6 +26,20 @@ function matchesAnyEventPattern(eventType, patterns) {
26
26
  return patterns.some((pattern) => matchesEventPattern(eventType, pattern));
27
27
  }
28
28
 
29
+ // ../contracts/src/types/reasoning-method.ts
30
+ var REASONING_METHODS = [
31
+ "deductive",
32
+ "inductive",
33
+ "abductive",
34
+ "analogical",
35
+ "causal",
36
+ "correlational",
37
+ "testimonial",
38
+ "statistical",
39
+ "implicit",
40
+ "pattern_match"
41
+ ];
42
+
29
43
  // ../contracts/src/graph-intelligence.contract.ts
30
44
  var GRAPH_INTELLIGENCE_MODE_TOOL_NAMES = {
31
45
  core: [
@@ -847,7 +861,7 @@ defineTable({
847
861
  });
848
862
  defineTable({
849
863
  name: "agents",
850
- component: "identity",
864
+ component: "control-plane",
851
865
  category: "agent",
852
866
  shape: z.object({
853
867
  "slug": z.string(),
@@ -878,6 +892,8 @@ defineTable({
878
892
  category: "tenant",
879
893
  shape: z.object({
880
894
  "tenantId": idOf("tenants"),
895
+ "workspaceId": idOf("workspaces").optional(),
896
+ "environment": z.enum(["dev", "staging", "prod"]).optional(),
881
897
  "keyPrefix": z.enum(["luc", "stk"]),
882
898
  "keyHash": z.string(),
883
899
  "keyHint": z.string(),
@@ -905,7 +921,7 @@ defineTable({
905
921
  shape: z.object({
906
922
  "tenantId": idOf("tenants").optional(),
907
923
  "apiKeyId": idOf("apiKeys").optional(),
908
- "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "principal_created", "principal_updated", "principal_suspended", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
924
+ "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_token_lease_issued", "proxy_token_lease_renewed", "proxy_token_lease_revoked", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "tenant_clerk_organization_linked", "tenant_canonical_identity_repaired", "principal_created", "principal_updated", "principal_suspended", "principal_identity_alias_upserted", "principal_identity_alias_revoked", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "deployment_host_registered", "deployment_host_revoked", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "permit_sync_enqueued", "permit_sync_succeeded", "permit_sync_failed", "permit_sync_skipped", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
909
925
  "actorClerkId": z.string(),
910
926
  "details": z.any().optional(),
911
927
  "createdAt": z.number()
@@ -1129,6 +1145,35 @@ defineTable({
1129
1145
  { kind: "index", name: "by_source", columns: ["source"] }
1130
1146
  ]
1131
1147
  });
1148
+ defineTable({
1149
+ name: "domainEvents",
1150
+ component: "kernel",
1151
+ category: "events",
1152
+ shape: z.object({
1153
+ "eventId": z.string(),
1154
+ "type": z.string(),
1155
+ "version": z.string(),
1156
+ "timestamp": z.number(),
1157
+ "tenantId": z.string().optional(),
1158
+ "workspaceId": z.string().optional(),
1159
+ "topicId": z.string(),
1160
+ "resourceId": z.string(),
1161
+ "resourceType": z.string(),
1162
+ "actorId": z.string(),
1163
+ "actorType": z.enum(["human", "agent", "service"]),
1164
+ "data": z.record(z.any()),
1165
+ "correlationId": z.string().optional(),
1166
+ "expiresAt": z.number()
1167
+ }),
1168
+ indices: [
1169
+ { kind: "index", name: "by_eventId", columns: ["eventId"] },
1170
+ { kind: "index", name: "by_topic_timestamp", columns: ["topicId", "timestamp"] },
1171
+ { kind: "index", name: "by_tenant_workspace_timestamp", columns: ["tenantId", "workspaceId", "timestamp"] },
1172
+ { kind: "index", name: "by_type_timestamp", columns: ["type", "timestamp"] },
1173
+ { kind: "index", name: "by_resource", columns: ["resourceType", "resourceId", "timestamp"] },
1174
+ { kind: "index", name: "by_expiresAt", columns: ["expiresAt"] }
1175
+ ]
1176
+ });
1132
1177
  defineTable({
1133
1178
  name: "beliefConfidence",
1134
1179
  component: "kernel",
@@ -1784,29 +1829,37 @@ defineTable({
1784
1829
  component: "mc",
1785
1830
  category: "runtime",
1786
1831
  shape: z.object({
1787
- "shimId": z.string(),
1788
- "gateId": z.string(),
1789
- "removalDate": z.string(),
1790
- "removalPriority": z.enum(["P1", "P2", "P3"]),
1791
- "description": z.string(),
1792
- "owner": z.string(),
1793
- "createdAt": z.string(),
1794
- "status": z.enum(["active", "overdue", "removed"]),
1795
- "bridgeType": z.enum(["tool", "agent"]),
1796
- "bridgeTarget": z.object({
1797
- "type": z.enum(["tool", "agent"]),
1798
- "legacyPath": z.string(),
1799
- "harnessPath": z.string()
1832
+ shimId: z.string(),
1833
+ gateId: z.string(),
1834
+ removalDate: z.string(),
1835
+ removalPriority: z.enum(["P1", "P2", "P3"]),
1836
+ description: z.string(),
1837
+ owner: z.string(),
1838
+ createdAt: z.string(),
1839
+ status: z.enum(["active", "overdue", "removed"]),
1840
+ bridgeType: z.enum(["tool", "agent"]),
1841
+ bridgeTarget: z.object({
1842
+ type: z.enum(["tool", "agent"]),
1843
+ legacyPath: z.string(),
1844
+ harnessPath: z.string()
1800
1845
  }),
1801
- "shimBehavior": z.enum(["passthrough_with_logging", "adapter", "feature_flag_gate"]),
1802
- "producesLedgerEntries": z.boolean(),
1803
- "lastAuditedAt": z.number(),
1804
- "metadata": z.record(z.any()).optional()
1846
+ shimBehavior: z.enum([
1847
+ "passthrough_with_logging",
1848
+ "adapter",
1849
+ "feature_flag_gate"
1850
+ ]),
1851
+ producesLedgerEntries: z.boolean(),
1852
+ lastAuditedAt: z.number(),
1853
+ metadata: z.record(z.any()).optional()
1805
1854
  }),
1806
1855
  indices: [
1807
1856
  { kind: "index", name: "by_shimId", columns: ["shimId"] },
1808
1857
  { kind: "index", name: "by_status", columns: ["status"] },
1809
- { kind: "index", name: "by_bridgeType_status", columns: ["bridgeType", "status"] }
1858
+ {
1859
+ kind: "index",
1860
+ name: "by_bridgeType_status",
1861
+ columns: ["bridgeType", "status"]
1862
+ }
1810
1863
  ]
1811
1864
  });
1812
1865
  defineTable({
@@ -1814,12 +1867,23 @@ defineTable({
1814
1867
  component: "mc",
1815
1868
  category: "runtime",
1816
1869
  shape: z.object({
1817
- "domain": z.enum(["graph", "schema", "identity", "policy", "audit", "admin", "agent", "tool", "prompt", "intelligence"]),
1818
- "state": z.enum(["legacy", "cutover", "disabled"]),
1819
- "metadata": z.record(z.any()).optional(),
1820
- "updatedBy": z.string(),
1821
- "createdAt": z.number(),
1822
- "updatedAt": z.number()
1870
+ domain: z.enum([
1871
+ "graph",
1872
+ "schema",
1873
+ "identity",
1874
+ "policy",
1875
+ "audit",
1876
+ "admin",
1877
+ "agent",
1878
+ "tool",
1879
+ "prompt",
1880
+ "intelligence"
1881
+ ]),
1882
+ state: z.enum(["legacy", "cutover", "disabled"]),
1883
+ metadata: z.record(z.any()).optional(),
1884
+ updatedBy: z.string(),
1885
+ createdAt: z.number(),
1886
+ updatedAt: z.number()
1823
1887
  }),
1824
1888
  indices: [
1825
1889
  { kind: "index", name: "by_domain", columns: ["domain"] },
@@ -1831,57 +1895,193 @@ defineTable({
1831
1895
  component: "mc",
1832
1896
  category: "runtime",
1833
1897
  shape: z.object({
1834
- "credentialRef": z.string(),
1835
- "tenantId": idOf("tenants"),
1836
- "target": z.enum(["kernelDeployment", "appDeployment"]),
1837
- "environment": z.enum(["dev", "staging", "prod"]),
1838
- "encryptedDeployKey": z.string(),
1839
- "encryptionVersion": z.string(),
1840
- "keyFingerprint": z.string(),
1841
- "keyHint": z.string(),
1842
- "status": z.enum(["active", "revoked"]),
1843
- "rotatedFromCredentialRef": z.string().optional(),
1844
- "revokedAt": z.number().optional(),
1845
- "revokedBy": z.string().optional(),
1846
- "lastUsedAt": z.number().optional(),
1847
- "metadata": z.record(z.any()).optional(),
1848
- "createdBy": z.string(),
1849
- "createdAt": z.number(),
1850
- "updatedAt": z.number()
1898
+ credentialRef: z.string(),
1899
+ tenantId: idOf("tenants"),
1900
+ workspaceId: idOf("workspaces").optional(),
1901
+ target: z.enum(["kernelDeployment", "appDeployment"]),
1902
+ environment: z.enum(["dev", "staging", "prod"]),
1903
+ encryptedDeployKey: z.string(),
1904
+ encryptionVersion: z.string(),
1905
+ keyFingerprint: z.string(),
1906
+ keyHint: z.string(),
1907
+ status: z.enum(["active", "revoked"]),
1908
+ rotatedFromCredentialRef: z.string().optional(),
1909
+ revokedAt: z.number().optional(),
1910
+ revokedBy: z.string().optional(),
1911
+ lastUsedAt: z.number().optional(),
1912
+ metadata: z.record(z.any()).optional(),
1913
+ createdBy: z.string(),
1914
+ createdAt: z.number(),
1915
+ updatedAt: z.number()
1851
1916
  }),
1852
1917
  indices: [
1853
1918
  { kind: "index", name: "by_credentialRef", columns: ["credentialRef"] },
1854
1919
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
1855
- { kind: "index", name: "by_tenant_target", columns: ["tenantId", "target"] },
1856
- { kind: "index", name: "by_tenant_target_environment", columns: ["tenantId", "target", "environment"] },
1857
- { kind: "index", name: "by_tenant_target_environment_status", columns: ["tenantId", "target", "environment", "status"] },
1920
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
1921
+ {
1922
+ kind: "index",
1923
+ name: "by_tenant_target",
1924
+ columns: ["tenantId", "target"]
1925
+ },
1926
+ {
1927
+ kind: "index",
1928
+ name: "by_tenant_target_environment",
1929
+ columns: ["tenantId", "target", "environment"]
1930
+ },
1931
+ {
1932
+ kind: "index",
1933
+ name: "by_tenant_target_environment_status",
1934
+ columns: ["tenantId", "target", "environment", "status"]
1935
+ },
1936
+ {
1937
+ kind: "index",
1938
+ name: "by_tenant_workspace_target_environment_status",
1939
+ columns: ["tenantId", "workspaceId", "target", "environment", "status"]
1940
+ },
1858
1941
  { kind: "index", name: "by_status", columns: ["status"] }
1859
1942
  ]
1860
1943
  });
1944
+ defineTable({
1945
+ name: "permitSyncStates",
1946
+ component: "mc",
1947
+ category: "runtime",
1948
+ shape: z.object({
1949
+ syncKey: z.string(),
1950
+ objectType: z.enum([
1951
+ "resource",
1952
+ "role",
1953
+ "resource_role",
1954
+ "resource_relation",
1955
+ "tenant",
1956
+ "workspace",
1957
+ "principal",
1958
+ "membership",
1959
+ "group",
1960
+ "resource_instance",
1961
+ "relationship_tuple",
1962
+ "role_assignment"
1963
+ ]),
1964
+ objectId: z.string(),
1965
+ tenantId: idOf("tenants").optional(),
1966
+ workspaceId: idOf("workspaces").optional(),
1967
+ principalId: z.string().optional(),
1968
+ permitTenantKey: z.string().optional(),
1969
+ permitResourceType: z.string().optional(),
1970
+ permitResourceKey: z.string().optional(),
1971
+ desiredPayload: z.record(z.any()),
1972
+ lastAppliedPayloadHash: z.string().optional(),
1973
+ status: z.enum(["pending", "synced", "error", "skipped"]),
1974
+ attemptCount: z.number(),
1975
+ lastError: z.string().optional(),
1976
+ nextAttemptAt: z.number().optional(),
1977
+ lastSyncedAt: z.number().optional(),
1978
+ createdBy: z.string(),
1979
+ updatedBy: z.string().optional(),
1980
+ createdAt: z.number(),
1981
+ updatedAt: z.number()
1982
+ }),
1983
+ indices: [
1984
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
1985
+ { kind: "index", name: "by_status", columns: ["status"] },
1986
+ {
1987
+ kind: "index",
1988
+ name: "by_tenant_status",
1989
+ columns: ["tenantId", "status"]
1990
+ },
1991
+ {
1992
+ kind: "index",
1993
+ name: "by_workspace_status",
1994
+ columns: ["workspaceId", "status"]
1995
+ },
1996
+ {
1997
+ kind: "index",
1998
+ name: "by_principal_status",
1999
+ columns: ["principalId", "status"]
2000
+ }
2001
+ ]
2002
+ });
2003
+ defineTable({
2004
+ name: "secretSyncDriftReports",
2005
+ component: "mc",
2006
+ category: "runtime",
2007
+ shape: z.object({
2008
+ reportId: z.string(),
2009
+ source: z.enum(["infisical_manifest", "manual", "ci"]),
2010
+ generatedAt: z.number(),
2011
+ recordedAt: z.number(),
2012
+ recordedBy: z.string(),
2013
+ status: z.enum([
2014
+ "in_sync",
2015
+ "drift",
2016
+ "exception",
2017
+ "blocked",
2018
+ "not_observed"
2019
+ ]),
2020
+ reportHash: z.string(),
2021
+ manifestHash: z.string().optional(),
2022
+ dryRunReceiptId: z.string().optional(),
2023
+ appliedReceiptId: z.string().optional(),
2024
+ summary: z.object({
2025
+ totalPipelines: z.number(),
2026
+ inSync: z.number(),
2027
+ drift: z.number(),
2028
+ exception: z.number(),
2029
+ blocked: z.number(),
2030
+ notObserved: z.number(),
2031
+ missingKeys: z.number(),
2032
+ valueDriftKeys: z.number(),
2033
+ extraKeys: z.number(),
2034
+ deniedConvexLeakage: z.number(),
2035
+ approvedExceptions: z.number()
2036
+ }),
2037
+ redactedReport: z.record(z.any()),
2038
+ metadata: z.record(z.any()).optional()
2039
+ }),
2040
+ indices: [
2041
+ { kind: "index", name: "by_reportId", columns: ["reportId"] },
2042
+ { kind: "index", name: "by_reportHash", columns: ["reportHash"] },
2043
+ { kind: "index", name: "by_generatedAt", columns: ["generatedAt"] },
2044
+ {
2045
+ kind: "index",
2046
+ name: "by_status_generatedAt",
2047
+ columns: ["status", "generatedAt"]
2048
+ }
2049
+ ]
2050
+ });
1861
2051
  defineTable({
1862
2052
  name: "controlPlaneTenantModelSlotBindings",
1863
2053
  component: "mc",
1864
2054
  category: "runtime",
1865
2055
  shape: z.object({
1866
- "bindingId": z.string(),
1867
- "tenantId": idOf("tenants"),
1868
- "providerId": z.string(),
1869
- "modelSlotId": z.string(),
1870
- "secretRef": z.string(),
1871
- "status": z.enum(["active", "revoked"]),
1872
- "passThroughOnly": z.boolean(),
1873
- "revokedAt": z.number().optional(),
1874
- "revokedBy": z.string().optional(),
1875
- "metadata": z.record(z.any()).optional(),
1876
- "createdBy": z.string(),
1877
- "createdAt": z.number(),
1878
- "updatedAt": z.number()
2056
+ bindingId: z.string(),
2057
+ tenantId: idOf("tenants"),
2058
+ workspaceId: idOf("workspaces").optional(),
2059
+ environment: z.enum(["dev", "staging", "prod"]).optional(),
2060
+ providerId: z.string(),
2061
+ modelSlotId: z.string(),
2062
+ secretRef: z.string(),
2063
+ status: z.enum(["active", "revoked"]),
2064
+ passThroughOnly: z.boolean(),
2065
+ revokedAt: z.number().optional(),
2066
+ revokedBy: z.string().optional(),
2067
+ metadata: z.record(z.any()).optional(),
2068
+ createdBy: z.string(),
2069
+ createdAt: z.number(),
2070
+ updatedAt: z.number()
1879
2071
  }),
1880
2072
  indices: [
1881
2073
  { kind: "index", name: "by_bindingId", columns: ["bindingId"] },
1882
2074
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
1883
- { kind: "index", name: "by_tenant_slot", columns: ["tenantId", "modelSlotId"] },
1884
- { kind: "index", name: "by_tenant_provider_slot", columns: ["tenantId", "providerId", "modelSlotId"] },
2075
+ {
2076
+ kind: "index",
2077
+ name: "by_tenant_slot",
2078
+ columns: ["tenantId", "modelSlotId"]
2079
+ },
2080
+ {
2081
+ kind: "index",
2082
+ name: "by_tenant_provider_slot",
2083
+ columns: ["tenantId", "providerId", "modelSlotId"]
2084
+ },
1885
2085
  { kind: "index", name: "by_secretRef", columns: ["secretRef"] },
1886
2086
  { kind: "index", name: "by_status", columns: ["status"] }
1887
2087
  ]
@@ -1891,29 +2091,42 @@ defineTable({
1891
2091
  component: "mc",
1892
2092
  category: "runtime",
1893
2093
  shape: z.object({
1894
- "secretRef": z.string(),
1895
- "tenantId": idOf("tenants"),
1896
- "providerId": z.string(),
1897
- "label": z.string().optional(),
1898
- "encryptedSecret": z.string(),
1899
- "encryptionVersion": z.string(),
1900
- "secretFingerprint": z.string(),
1901
- "keyHint": z.string(),
1902
- "status": z.enum(["active", "revoked"]),
1903
- "rotatedFromSecretRef": z.string().optional(),
1904
- "revokedAt": z.number().optional(),
1905
- "revokedBy": z.string().optional(),
1906
- "lastUsedAt": z.number().optional(),
1907
- "metadata": z.record(z.any()).optional(),
1908
- "createdBy": z.string(),
1909
- "createdAt": z.number(),
1910
- "updatedAt": z.number()
2094
+ secretRef: z.string(),
2095
+ tenantId: idOf("tenants"),
2096
+ workspaceId: idOf("workspaces").optional(),
2097
+ environment: z.enum(["dev", "staging", "prod"]).optional(),
2098
+ providerId: z.string(),
2099
+ label: z.string().optional(),
2100
+ encryptedSecret: z.string().optional(),
2101
+ infisicalPath: z.string().optional(),
2102
+ infisicalSecretKey: z.string().optional(),
2103
+ infisicalProjectId: z.string().optional(),
2104
+ encryptionVersion: z.string(),
2105
+ secretFingerprint: z.string(),
2106
+ keyHint: z.string(),
2107
+ status: z.enum(["active", "revoked"]),
2108
+ rotatedFromSecretRef: z.string().optional(),
2109
+ revokedAt: z.number().optional(),
2110
+ revokedBy: z.string().optional(),
2111
+ lastUsedAt: z.number().optional(),
2112
+ metadata: z.record(z.any()).optional(),
2113
+ createdBy: z.string(),
2114
+ createdAt: z.number(),
2115
+ updatedAt: z.number()
1911
2116
  }),
1912
2117
  indices: [
1913
2118
  { kind: "index", name: "by_secretRef", columns: ["secretRef"] },
1914
2119
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
1915
- { kind: "index", name: "by_tenant_provider", columns: ["tenantId", "providerId"] },
1916
- { kind: "index", name: "by_tenant_provider_status", columns: ["tenantId", "providerId", "status"] },
2120
+ {
2121
+ kind: "index",
2122
+ name: "by_tenant_provider",
2123
+ columns: ["tenantId", "providerId"]
2124
+ },
2125
+ {
2126
+ kind: "index",
2127
+ name: "by_tenant_provider_status",
2128
+ columns: ["tenantId", "providerId", "status"]
2129
+ },
1917
2130
  { kind: "index", name: "by_status", columns: ["status"] }
1918
2131
  ]
1919
2132
  });
@@ -1922,35 +2135,93 @@ defineTable({
1922
2135
  component: "mc",
1923
2136
  category: "runtime",
1924
2137
  shape: z.object({
1925
- "usageId": z.string(),
1926
- "tenantId": idOf("tenants"),
1927
- "providerId": z.string(),
1928
- "modelSlotId": z.string(),
1929
- "secretRef": z.string(),
1930
- "proxyTokenId": z.string(),
1931
- "sessionId": z.string(),
1932
- "principalId": z.string(),
1933
- "workspaceId": z.string().optional(),
1934
- "modelId": z.string().optional(),
1935
- "requestPath": z.string(),
1936
- "status": z.enum(["success", "error"]),
1937
- "responseStatus": z.number().optional(),
1938
- "inputTokens": z.number().optional(),
1939
- "outputTokens": z.number().optional(),
1940
- "tokenCount": z.number().optional(),
1941
- "latencyMs": z.number(),
1942
- "estimatedCostUsd": z.number().optional(),
1943
- "failureCode": z.string().optional(),
1944
- "metadata": z.record(z.any()).optional(),
1945
- "createdAt": z.number(),
1946
- "updatedAt": z.number()
2138
+ usageId: z.string(),
2139
+ tenantId: idOf("tenants"),
2140
+ providerId: z.string(),
2141
+ modelSlotId: z.string(),
2142
+ secretRef: z.string(),
2143
+ proxyTokenId: z.string(),
2144
+ sessionId: z.string(),
2145
+ principalId: z.string(),
2146
+ workspaceId: z.string().optional(),
2147
+ modelId: z.string().optional(),
2148
+ requestPath: z.string(),
2149
+ status: z.enum(["success", "error"]),
2150
+ responseStatus: z.number().optional(),
2151
+ inputTokens: z.number().optional(),
2152
+ outputTokens: z.number().optional(),
2153
+ tokenCount: z.number().optional(),
2154
+ latencyMs: z.number(),
2155
+ estimatedCostUsd: z.number().optional(),
2156
+ failureCode: z.string().optional(),
2157
+ metadata: z.record(z.any()).optional(),
2158
+ createdAt: z.number(),
2159
+ updatedAt: z.number()
1947
2160
  }),
1948
2161
  indices: [
1949
2162
  { kind: "index", name: "by_usageId", columns: ["usageId"] },
1950
2163
  { kind: "index", name: "by_tenantId", columns: ["tenantId", "createdAt"] },
1951
- { kind: "index", name: "by_tenant_provider", columns: ["tenantId", "providerId", "createdAt"] },
1952
- { kind: "index", name: "by_proxyTokenId", columns: ["proxyTokenId", "createdAt"] },
1953
- { kind: "index", name: "by_sessionId", columns: ["sessionId", "createdAt"] }
2164
+ {
2165
+ kind: "index",
2166
+ name: "by_tenant_provider",
2167
+ columns: ["tenantId", "providerId", "createdAt"]
2168
+ },
2169
+ {
2170
+ kind: "index",
2171
+ name: "by_proxyTokenId",
2172
+ columns: ["proxyTokenId", "createdAt"]
2173
+ },
2174
+ {
2175
+ kind: "index",
2176
+ name: "by_sessionId",
2177
+ columns: ["sessionId", "createdAt"]
2178
+ }
2179
+ ]
2180
+ });
2181
+ defineTable({
2182
+ name: "controlPlaneTenantProxyTokenLeases",
2183
+ component: "mc",
2184
+ category: "runtime",
2185
+ shape: z.object({
2186
+ leaseId: z.string(),
2187
+ proxyTokenId: z.string(),
2188
+ tenantId: idOf("tenants"),
2189
+ workspaceId: idOf("workspaces").optional(),
2190
+ environment: z.enum(["dev", "staging", "prod"]),
2191
+ providerId: z.string(),
2192
+ modelSlotId: z.string(),
2193
+ bindingId: z.string(),
2194
+ secretRef: z.string(),
2195
+ sessionId: z.string(),
2196
+ principalId: z.string(),
2197
+ agentSessionId: z.string().optional(),
2198
+ status: z.enum(["active", "revoked"]),
2199
+ expiresAt: z.number(),
2200
+ renewedAt: z.number().optional(),
2201
+ revokedAt: z.number().optional(),
2202
+ revokedBy: z.string().optional(),
2203
+ revokeReason: z.string().optional(),
2204
+ permitDecisionLogId: idOf("policyDecisionLogs").optional(),
2205
+ permitTraceId: z.string().optional(),
2206
+ metadata: z.record(z.any()).optional(),
2207
+ createdAt: z.number(),
2208
+ updatedAt: z.number()
2209
+ }),
2210
+ indices: [
2211
+ { kind: "index", name: "by_leaseId", columns: ["leaseId"] },
2212
+ { kind: "index", name: "by_proxyTokenId", columns: ["proxyTokenId"] },
2213
+ { kind: "index", name: "by_tenantId", columns: ["tenantId", "createdAt"] },
2214
+ { kind: "index", name: "by_sessionId", columns: ["sessionId", "createdAt"] },
2215
+ {
2216
+ kind: "index",
2217
+ name: "by_principalId",
2218
+ columns: ["principalId", "createdAt"]
2219
+ },
2220
+ {
2221
+ kind: "index",
2222
+ name: "by_status_expiresAt",
2223
+ columns: ["status", "expiresAt"]
2224
+ }
1954
2225
  ]
1955
2226
  });
1956
2227
  defineTable({
@@ -2283,6 +2554,7 @@ defineTable({
2283
2554
  "questionType": z.enum(["validation", "falsification", "assumption_probe", "prediction_test", "counterfactual", "discovery", "clarification", "comparison", "causal", "mechanism", "general"]).optional(),
2284
2555
  "questionPriority": z.enum(["critical", "high", "medium", "low"]).optional(),
2285
2556
  "answerQuality": z.enum(["definitive", "strong", "moderate", "weak", "speculative", "unanswered"]).optional(),
2557
+ "themeStatus": z.enum(["emerging", "active", "mature", "declining", "archived"]).optional(),
2286
2558
  "themeConviction": z.enum(["high", "medium", "low", "negative"]).optional(),
2287
2559
  "decisionType": z.enum(["invest", "pass", "follow_on", "exit", "deep_dive", "monitor", "deprioritize", "thesis_adopt", "thesis_revise", "thesis_abandon"]).optional(),
2288
2560
  "decisionOutcome": z.enum(["pending", "successful", "unsuccessful", "mixed", "unknown"]).optional(),
@@ -2433,6 +2705,7 @@ defineTable({
2433
2705
  indices: [
2434
2706
  { kind: "index", name: "by_principalId", columns: ["principalId"] },
2435
2707
  { kind: "index", name: "by_principal_tenant", columns: ["principalId", "tenantId"] },
2708
+ { kind: "index", name: "by_principal_tenant_workspace", columns: ["principalId", "tenantId", "workspaceId"] },
2436
2709
  { kind: "index", name: "by_workspace_principal", columns: ["workspaceId", "principalId"] },
2437
2710
  { kind: "index", name: "by_tenant_role", columns: ["tenantId", "role"] },
2438
2711
  { kind: "index", name: "by_status", columns: ["status"] }
@@ -2464,6 +2737,36 @@ defineTable({
2464
2737
  { kind: "index", name: "by_status", columns: ["status"] }
2465
2738
  ]
2466
2739
  });
2740
+ defineTable({
2741
+ name: "principalIdentityAliases",
2742
+ component: "mc",
2743
+ category: "identity",
2744
+ shape: z.object({
2745
+ "principalId": z.string(),
2746
+ "principalRefId": idOf("principals").optional(),
2747
+ "provider": z.string(),
2748
+ "providerProjectId": z.string().optional(),
2749
+ "externalSubjectId": z.string(),
2750
+ "tenantId": idOf("tenants").optional(),
2751
+ "workspaceId": idOf("workspaces").optional(),
2752
+ "email": z.string().optional(),
2753
+ "status": z.enum(["active", "revoked"]),
2754
+ "metadata": z.record(z.any()).optional(),
2755
+ "createdBy": z.string(),
2756
+ "revokedAt": z.number().optional(),
2757
+ "revokedBy": z.string().optional(),
2758
+ "createdAt": z.number(),
2759
+ "updatedAt": z.number()
2760
+ }),
2761
+ indices: [
2762
+ { kind: "index", name: "by_provider_subject", columns: ["provider", "externalSubjectId"] },
2763
+ { kind: "index", name: "by_provider_project_subject", columns: ["provider", "providerProjectId", "externalSubjectId"] },
2764
+ { kind: "index", name: "by_principalId", columns: ["principalId"] },
2765
+ { kind: "index", name: "by_principal_status", columns: ["principalId", "status"] },
2766
+ { kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "externalSubjectId"] },
2767
+ { kind: "index", name: "by_workspace_provider_subject", columns: ["workspaceId", "provider", "externalSubjectId"] }
2768
+ ]
2769
+ });
2467
2770
  defineTable({
2468
2771
  name: "rateLimitWindows",
2469
2772
  component: "mc",
@@ -3053,7 +3356,7 @@ defineTable({
3053
3356
  });
3054
3357
  defineTable({
3055
3358
  name: "mcpWritePolicy",
3056
- component: "identity",
3359
+ component: "control-plane",
3057
3360
  category: "platform",
3058
3361
  shape: z.object({
3059
3362
  "topicId": z.string().optional(),
@@ -3076,7 +3379,7 @@ defineTable({
3076
3379
  });
3077
3380
  defineTable({
3078
3381
  name: "platformAudienceGrants",
3079
- component: "identity",
3382
+ component: "control-plane",
3080
3383
  category: "platform",
3081
3384
  shape: z.object({
3082
3385
  "tenantId": z.string(),
@@ -3102,7 +3405,7 @@ defineTable({
3102
3405
  });
3103
3406
  defineTable({
3104
3407
  name: "platformAudiences",
3105
- component: "identity",
3408
+ component: "control-plane",
3106
3409
  category: "platform",
3107
3410
  shape: z.object({
3108
3411
  "tenantId": z.string(),
@@ -3127,7 +3430,7 @@ defineTable({
3127
3430
  });
3128
3431
  defineTable({
3129
3432
  name: "platformPolicyDecisionLogs",
3130
- component: "identity",
3433
+ component: "control-plane",
3131
3434
  category: "platform",
3132
3435
  shape: z.object({
3133
3436
  "principalId": z.string(),
@@ -3163,7 +3466,7 @@ defineTable({
3163
3466
  });
3164
3467
  defineTable({
3165
3468
  name: "tenantApiKeys",
3166
- component: "identity",
3469
+ component: "control-plane",
3167
3470
  category: "platform",
3168
3471
  shape: z.object({
3169
3472
  "tenantId": z.string(),
@@ -3190,7 +3493,7 @@ defineTable({
3190
3493
  });
3191
3494
  defineTable({
3192
3495
  name: "tenantConfig",
3193
- component: "identity",
3496
+ component: "control-plane",
3194
3497
  category: "platform",
3195
3498
  shape: z.object({
3196
3499
  "tenantId": z.string(),
@@ -3209,7 +3512,7 @@ defineTable({
3209
3512
  });
3210
3513
  defineTable({
3211
3514
  name: "tenantIntegrations",
3212
- component: "identity",
3515
+ component: "control-plane",
3213
3516
  category: "platform",
3214
3517
  shape: z.object({
3215
3518
  "tenantId": z.string(),
@@ -3264,7 +3567,7 @@ defineTable({
3264
3567
  });
3265
3568
  defineTable({
3266
3569
  name: "tenantModelSlotBindings",
3267
- component: "identity",
3570
+ component: "control-plane",
3268
3571
  category: "platform",
3269
3572
  shape: z.object({
3270
3573
  "bindingId": z.string(),
@@ -3292,7 +3595,7 @@ defineTable({
3292
3595
  });
3293
3596
  defineTable({
3294
3597
  name: "tenantPolicies",
3295
- component: "identity",
3598
+ component: "control-plane",
3296
3599
  category: "platform",
3297
3600
  shape: z.object({
3298
3601
  "tenantId": z.string(),
@@ -3317,7 +3620,7 @@ defineTable({
3317
3620
  });
3318
3621
  defineTable({
3319
3622
  name: "tenantProviderSecrets",
3320
- component: "identity",
3623
+ component: "control-plane",
3321
3624
  category: "platform",
3322
3625
  shape: z.object({
3323
3626
  "secretRef": z.string(),
@@ -3348,7 +3651,7 @@ defineTable({
3348
3651
  });
3349
3652
  defineTable({
3350
3653
  name: "tenantProxyGatewayUsage",
3351
- component: "identity",
3654
+ component: "control-plane",
3352
3655
  category: "platform",
3353
3656
  shape: z.object({
3354
3657
  "usageId": z.string(),
@@ -3383,7 +3686,7 @@ defineTable({
3383
3686
  });
3384
3687
  defineTable({
3385
3688
  name: "tenantProxyTokenMints",
3386
- component: "identity",
3689
+ component: "control-plane",
3387
3690
  category: "platform",
3388
3691
  shape: z.object({
3389
3692
  "proxyTokenId": z.string(),
@@ -3406,7 +3709,7 @@ defineTable({
3406
3709
  });
3407
3710
  defineTable({
3408
3711
  name: "tenantSandboxAuditEvents",
3409
- component: "identity",
3712
+ component: "control-plane",
3410
3713
  category: "platform",
3411
3714
  shape: z.object({
3412
3715
  "eventId": z.string(),
@@ -3440,7 +3743,7 @@ defineTable({
3440
3743
  });
3441
3744
  defineTable({
3442
3745
  name: "tenantSecrets",
3443
- component: "identity",
3746
+ component: "control-plane",
3444
3747
  category: "platform",
3445
3748
  shape: z.object({
3446
3749
  "tenantId": z.string(),
@@ -3462,7 +3765,7 @@ defineTable({
3462
3765
  });
3463
3766
  defineTable({
3464
3767
  name: "toolAcls",
3465
- component: "identity",
3768
+ component: "control-plane",
3466
3769
  category: "platform",
3467
3770
  shape: z.object({
3468
3771
  "role": z.enum(["platform_admin", "tenant_admin", "workspace_admin", "editor", "viewer", "auditor", "service_agent"]),
@@ -3477,7 +3780,7 @@ defineTable({
3477
3780
  });
3478
3781
  defineTable({
3479
3782
  name: "toolRegistry",
3480
- component: "identity",
3783
+ component: "control-plane",
3481
3784
  category: "platform",
3482
3785
  shape: z.object({
3483
3786
  "toolName": z.string(),
@@ -3558,7 +3861,7 @@ defineTable({
3558
3861
  });
3559
3862
  defineTable({
3560
3863
  name: "modelCallLogs",
3561
- component: "identity",
3864
+ component: "control-plane",
3562
3865
  category: "model",
3563
3866
  shape: z.object({
3564
3867
  "slot": z.string(),
@@ -3584,7 +3887,7 @@ defineTable({
3584
3887
  });
3585
3888
  defineTable({
3586
3889
  name: "modelFunctionSlots",
3587
- component: "identity",
3890
+ component: "control-plane",
3588
3891
  category: "model",
3589
3892
  shape: z.object({
3590
3893
  "slot": z.string(),
@@ -3609,7 +3912,7 @@ defineTable({
3609
3912
  });
3610
3913
  defineTable({
3611
3914
  name: "modelRegistry",
3612
- component: "identity",
3915
+ component: "control-plane",
3613
3916
  category: "model",
3614
3917
  shape: z.object({
3615
3918
  "key": z.string(),
@@ -3636,7 +3939,7 @@ defineTable({
3636
3939
  });
3637
3940
  defineTable({
3638
3941
  name: "modelSlotConfigs",
3639
- component: "identity",
3942
+ component: "control-plane",
3640
3943
  category: "model",
3641
3944
  shape: z.object({
3642
3945
  "slot": z.string(),
@@ -4023,7 +4326,7 @@ defineTable({
4023
4326
  "workspaceId": idOf("workspaces").optional(),
4024
4327
  "resourceType": z.string(),
4025
4328
  "resourceId": z.string(),
4026
- "action": z.enum(["read", "summarize", "export", "mutate", "admin", "comment", "escalate", "resolve", "vote"]),
4329
+ "action": z.enum(["read", "summarize", "export", "mutate", "admin", "comment", "escalate", "resolve", "vote", "route", "invoke", "manage", "deploy", "promote", "rollback", "audit", "read_ref", "fetch_value", "rotate", "administer", "mint", "delegate", "revoke"]),
4027
4330
  "decision": z.enum(["allow", "deny"]),
4028
4331
  "reasonCode": z.string(),
4029
4332
  "policyVersion": z.string(),
@@ -4085,7 +4388,7 @@ defineTable({
4085
4388
  });
4086
4389
  defineTable({
4087
4390
  name: "projectGrants",
4088
- component: "identity",
4391
+ component: "control-plane",
4089
4392
  category: "project",
4090
4393
  shape: z.object({
4091
4394
  "projectId": z.string().optional(),
@@ -4117,91 +4420,735 @@ defineTable({
4117
4420
  { kind: "index", name: "by_topic_cluster_status", columns: ["topicId", "beliefClusterId", "status"] }
4118
4421
  ]
4119
4422
  });
4423
+ var permitActorType = z.enum([
4424
+ "human",
4425
+ "agent",
4426
+ "service_principal",
4427
+ "external_stakeholder",
4428
+ "system"
4429
+ ]);
4430
+ var permitMembershipStatus = z.enum([
4431
+ "active",
4432
+ "invited",
4433
+ "revoked",
4434
+ "suspended",
4435
+ "disabled"
4436
+ ]);
4437
+ var permitDecision = z.enum(["allow", "deny"]);
4438
+ var permitAccessReviewStatus = z.enum([
4439
+ "open",
4440
+ "in_progress",
4441
+ "approved",
4442
+ "denied",
4443
+ "expired",
4444
+ "cancelled"
4445
+ ]);
4446
+ var permitReviewScope = z.enum([
4447
+ "tenant",
4448
+ "workspace",
4449
+ "resource_instance",
4450
+ "group",
4451
+ "principal",
4452
+ "api_key",
4453
+ "admin_action"
4454
+ ]);
4455
+ var permitRecordStatus = z.enum([
4456
+ "queued",
4457
+ "inflight",
4458
+ "completed",
4459
+ "failed",
4460
+ "skipped",
4461
+ "stale"
4462
+ ]);
4463
+ var permitObjectType = z.enum([
4464
+ "resource",
4465
+ "role",
4466
+ "resource_role",
4467
+ "resource_relation",
4468
+ "tenant",
4469
+ "workspace",
4470
+ "principal",
4471
+ "membership",
4472
+ "group",
4473
+ "resource_instance",
4474
+ "relationship_tuple",
4475
+ "role_assignment",
4476
+ "attribute_binding",
4477
+ "policy_bundle"
4478
+ ]);
4479
+ var permitOutboxOperation = z.enum([
4480
+ "upsert",
4481
+ "delete",
4482
+ "sync",
4483
+ "resync",
4484
+ "delete_sync",
4485
+ "noop"
4486
+ ]);
4487
+ var permitPolicyBundleStatus = z.enum([
4488
+ "draft",
4489
+ "validated",
4490
+ "enforced",
4491
+ "archived"
4492
+ ]);
4493
+ var permitSyncStatus = z.enum([
4494
+ "pending",
4495
+ "synced",
4496
+ "error",
4497
+ "skipped"
4498
+ ]);
4499
+ var permitAccessReviewSubjectType = z.enum([
4500
+ "principal",
4501
+ "group",
4502
+ "role_assignment",
4503
+ "resource_instance"
4504
+ ]);
4505
+ var permitAttributeType = z.enum([
4506
+ "string",
4507
+ "number",
4508
+ "bool",
4509
+ "json",
4510
+ "time"
4511
+ ]);
4512
+ var permitAttributeOperator = z.enum([
4513
+ "eq",
4514
+ "neq",
4515
+ "in",
4516
+ "not_in",
4517
+ "gt",
4518
+ "gte",
4519
+ "lt",
4520
+ "lte",
4521
+ "contains",
4522
+ "not_contains",
4523
+ "matches"
4524
+ ]);
4525
+ var permitRoleBindingTarget = z.enum([
4526
+ "principal",
4527
+ "group"
4528
+ ]);
4120
4529
  defineTable({
4121
- name: "reasoningPermissions",
4122
- component: "identity",
4123
- category: "epistemic",
4530
+ name: "permitPrincipals",
4531
+ component: "control-plane",
4532
+ category: "access-control",
4124
4533
  shape: z.object({
4125
- "topicId": z.string().optional(),
4126
- "principalId": z.string(),
4127
- "nodeType": z.enum(["belief", "evidence", "action", "approval", "artifact"]),
4128
- "action": z.enum(["view_conclusion", "view_evidence", "propose_action", "approve_action", "view_derived_artifact"]),
4129
- "effect": z.enum(["allow", "deny"]),
4130
- "policyReference": z.string().optional(),
4131
- "rationale": z.string().optional(),
4132
- "metadata": z.record(z.any()).optional(),
4133
- "createdAt": z.number(),
4134
- "createdBy": z.string(),
4135
- "updatedAt": z.number()
4534
+ principalId: z.string(),
4535
+ tenantId: z.string(),
4536
+ workspaceId: z.optional(z.string()),
4537
+ principalType: permitActorType,
4538
+ status: permitMembershipStatus,
4539
+ displayName: z.string().optional(),
4540
+ metadata: z.record(z.any()).optional(),
4541
+ createdBy: z.string(),
4542
+ createdAt: z.number(),
4543
+ updatedAt: z.number(),
4544
+ updatedBy: z.string().optional(),
4545
+ lastSeenAt: z.number().optional()
4136
4546
  }),
4137
4547
  indices: [
4138
- { kind: "index", name: "by_topic_principal", columns: ["topicId", "principalId"] },
4139
- { kind: "index", name: "by_topic_principal_action", columns: ["topicId", "principalId", "action"] },
4140
- { kind: "index", name: "by_topic_principal_node_action", columns: ["topicId", "principalId", "nodeType", "action"] },
4141
- { kind: "index", name: "by_principal_action", columns: ["principalId", "action"] }
4548
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4549
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4550
+ { kind: "index", name: "by_tenant_principalId", columns: ["tenantId", "principalId"] },
4551
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
4552
+ {
4553
+ kind: "index",
4554
+ name: "by_tenant_principalType_status",
4555
+ columns: ["tenantId", "principalType", "status"]
4556
+ }
4142
4557
  ]
4143
4558
  });
4144
4559
  defineTable({
4145
- name: "schemaEnumConfig",
4146
- component: "kernel",
4147
- category: "config",
4560
+ name: "permitPrincipalAliases",
4561
+ component: "control-plane",
4562
+ category: "access-control",
4148
4563
  shape: z.object({
4149
- "tenantId": z.string().optional(),
4150
- "category": z.string(),
4151
- "value": z.string(),
4152
- "label": z.string(),
4153
- "description": z.string().optional(),
4154
- "tier": z.enum(["platform", "tenant"]),
4155
- "domainNamespace": z.string().optional(),
4156
- "metadata": z.any().optional(),
4157
- "isDefault": z.boolean().optional(),
4158
- "sortOrder": z.number().optional(),
4159
- "status": z.enum(["active", "deprecated"]),
4160
- "createdAt": z.number(),
4161
- "updatedAt": z.number()
4564
+ principalId: z.string(),
4565
+ tenantId: z.string(),
4566
+ workspaceId: z.optional(z.string()),
4567
+ provider: z.string(),
4568
+ providerSubjectId: z.string(),
4569
+ providerProjectId: z.string().optional(),
4570
+ alias: z.string(),
4571
+ aliasKind: z.string(),
4572
+ status: permitMembershipStatus,
4573
+ metadata: z.record(z.any()).optional(),
4574
+ createdBy: z.string(),
4575
+ createdAt: z.number(),
4576
+ updatedAt: z.number(),
4577
+ revokedBy: z.string().optional(),
4578
+ revokedAt: z.number().optional(),
4579
+ updatedBy: z.string().optional()
4162
4580
  }),
4163
4581
  indices: [
4164
- { kind: "index", name: "by_category", columns: ["category"] },
4165
- { kind: "index", name: "by_tenant_category", columns: ["tenantId", "category"] },
4166
- { kind: "index", name: "by_category_value", columns: ["category", "value"] }
4582
+ { kind: "index", name: "by_principalId", columns: ["principalId"] },
4583
+ { kind: "index", name: "by_provider_subject", columns: ["provider", "providerSubjectId"] },
4584
+ { kind: "index", name: "by_provider_project_subject", columns: ["provider", "providerProjectId", "providerSubjectId"] },
4585
+ { kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "providerSubjectId"] },
4586
+ { kind: "index", name: "by_tenant_provider_project_subject", columns: ["tenantId", "provider", "providerProjectId", "providerSubjectId"] },
4587
+ {
4588
+ kind: "index",
4589
+ name: "by_tenant_provider_alias",
4590
+ columns: ["tenantId", "provider", "alias"]
4591
+ },
4592
+ { kind: "index", name: "by_tenant_alias", columns: ["tenantId", "alias"] },
4593
+ {
4594
+ kind: "index",
4595
+ name: "by_tenant_provider_status",
4596
+ columns: ["tenantId", "provider", "status"]
4597
+ }
4167
4598
  ]
4168
4599
  });
4169
4600
  defineTable({
4170
- name: "tasks",
4171
- component: "kernel",
4172
- category: "task",
4601
+ name: "permitGroups",
4602
+ component: "control-plane",
4603
+ category: "access-control",
4173
4604
  shape: z.object({
4174
- "topicId": z.string().optional(),
4175
- "tenantId": z.string().optional(),
4176
- "workspaceId": z.string().optional(),
4177
- "title": z.string(),
4178
- "description": z.string().optional(),
4179
- "status": z.enum(["todo", "in_progress", "blocked", "done"]),
4180
- "priority": z.enum(["urgent", "high", "medium", "low"]),
4181
- "dueDate": z.number().optional(),
4182
- "linkedWorktreeId": idOf("worktrees").optional(),
4183
- "linkedBeliefId": z.string().optional(),
4184
- "linkedQuestionId": z.string().optional(),
4185
- "taskType": z.enum(["general", "find_evidence", "verify_claim", "research", "review", "interview", "analysis", "track_metrics"]).optional(),
4186
- "assigneeId": z.string().optional(),
4187
- "blockedReason": z.string().optional(),
4188
- "blockedBy": z.array(idOf("tasks")).optional(),
4189
- "blocks": z.array(idOf("tasks")).optional(),
4190
- "sortOrder": z.number().optional(),
4191
- "executionOrder": z.number().optional(),
4192
- "subtasks": z.array(z.object({
4193
- "id": z.string(),
4194
- "title": z.string(),
4195
- "completed": z.boolean(),
4196
- "completedAt": z.number().optional()
4197
- })).optional(),
4198
- "comments": z.array(z.object({
4199
- "id": z.string(),
4200
- "userId": z.string(),
4201
- "content": z.string(),
4202
- "createdAt": z.number()
4203
- })).optional(),
4204
- "attachments": z.array(z.object({
4605
+ tenantId: z.string(),
4606
+ workspaceId: z.optional(z.string()),
4607
+ groupId: z.string(),
4608
+ groupKey: z.string(),
4609
+ groupName: z.string(),
4610
+ groupType: z.enum(["tenant", "workspace", "external", "system", "dynamic"]),
4611
+ status: permitMembershipStatus,
4612
+ description: z.string().optional(),
4613
+ metadata: z.record(z.any()).optional(),
4614
+ createdBy: z.string(),
4615
+ createdAt: z.number(),
4616
+ updatedAt: z.number(),
4617
+ updatedBy: z.string().optional()
4618
+ }),
4619
+ indices: [
4620
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4621
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4622
+ { kind: "index", name: "by_tenant_groupId", columns: ["tenantId", "groupId"] },
4623
+ { kind: "index", name: "by_tenant_groupKey", columns: ["tenantId", "groupKey"] },
4624
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4625
+ ]
4626
+ });
4627
+ defineTable({
4628
+ name: "permitGroupMemberships",
4629
+ component: "control-plane",
4630
+ category: "access-control",
4631
+ shape: z.object({
4632
+ tenantId: z.string(),
4633
+ workspaceId: z.optional(z.string()),
4634
+ groupId: z.string(),
4635
+ memberType: z.enum(["principal", "group"]),
4636
+ memberId: z.string(),
4637
+ principalId: z.string().optional(),
4638
+ childGroupId: z.string().optional(),
4639
+ status: permitMembershipStatus,
4640
+ addedBy: z.string().optional(),
4641
+ revokedBy: z.string().optional(),
4642
+ expiresAt: z.number().optional(),
4643
+ revocationReason: z.string().optional(),
4644
+ metadata: z.record(z.any()).optional(),
4645
+ createdAt: z.number(),
4646
+ updatedAt: z.number(),
4647
+ updatedBy: z.string().optional()
4648
+ }),
4649
+ indices: [
4650
+ { kind: "index", name: "by_tenant_principal", columns: ["tenantId", "principalId"] },
4651
+ { kind: "index", name: "by_tenant_member", columns: ["tenantId", "memberType", "memberId"] },
4652
+ {
4653
+ kind: "index",
4654
+ name: "by_tenant_member_group",
4655
+ columns: ["tenantId", "memberType", "memberId", "groupId"]
4656
+ },
4657
+ { kind: "index", name: "by_tenant_group", columns: ["tenantId", "groupId"] },
4658
+ { kind: "index", name: "by_member_group", columns: ["memberType", "memberId", "groupId"] },
4659
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
4660
+ {
4661
+ kind: "index",
4662
+ name: "by_workspace_principal",
4663
+ columns: ["workspaceId", "principalId"]
4664
+ }
4665
+ ]
4666
+ });
4667
+ defineTable({
4668
+ name: "permitResourceInstances",
4669
+ component: "control-plane",
4670
+ category: "access-control",
4671
+ shape: z.object({
4672
+ tenantId: z.string(),
4673
+ workspaceId: z.optional(z.string()),
4674
+ resourceType: z.string(),
4675
+ resourceKey: z.string(),
4676
+ resourceId: z.string(),
4677
+ status: z.enum(["active", "deleted", "archived"]),
4678
+ attributes: z.record(z.any()).optional(),
4679
+ ownerPrincipalId: z.string().optional(),
4680
+ metadata: z.record(z.any()).optional(),
4681
+ createdBy: z.string(),
4682
+ updatedBy: z.string().optional(),
4683
+ createdAt: z.number(),
4684
+ updatedAt: z.number()
4685
+ }),
4686
+ indices: [
4687
+ {
4688
+ kind: "index",
4689
+ name: "by_tenant_resource_type",
4690
+ columns: ["tenantId", "resourceType"]
4691
+ },
4692
+ {
4693
+ kind: "index",
4694
+ name: "by_tenant_resource_key",
4695
+ columns: ["tenantId", "resourceType", "resourceKey"]
4696
+ },
4697
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4698
+ { kind: "index", name: "by_status", columns: ["status"] },
4699
+ {
4700
+ kind: "index",
4701
+ name: "by_tenant_status",
4702
+ columns: ["tenantId", "status"]
4703
+ },
4704
+ {
4705
+ kind: "index",
4706
+ name: "by_ownerPrincipalId",
4707
+ columns: ["ownerPrincipalId"]
4708
+ }
4709
+ ]
4710
+ });
4711
+ defineTable({
4712
+ name: "permitRoleAssignments",
4713
+ component: "control-plane",
4714
+ category: "access-control",
4715
+ shape: z.object({
4716
+ tenantId: z.string(),
4717
+ workspaceId: z.optional(z.string()),
4718
+ role: z.string(),
4719
+ targetType: permitRoleBindingTarget,
4720
+ targetId: z.string(),
4721
+ resourceType: z.string(),
4722
+ resourceKey: z.string(),
4723
+ resourceInstanceId: z.string().optional(),
4724
+ status: permitMembershipStatus,
4725
+ expiresAt: z.number().optional(),
4726
+ attributes: z.record(z.any()).optional(),
4727
+ grantedBy: z.string().optional(),
4728
+ updatedBy: z.string().optional(),
4729
+ revokedBy: z.string().optional(),
4730
+ createdAt: z.number(),
4731
+ updatedAt: z.number()
4732
+ }),
4733
+ indices: [
4734
+ {
4735
+ kind: "index",
4736
+ name: "by_tenant_target",
4737
+ columns: ["tenantId", "targetType", "targetId"]
4738
+ },
4739
+ {
4740
+ kind: "index",
4741
+ name: "by_tenant_resource",
4742
+ columns: ["tenantId", "resourceType", "resourceKey"]
4743
+ },
4744
+ {
4745
+ kind: "index",
4746
+ name: "by_tenant_role",
4747
+ columns: ["tenantId", "role", "status"]
4748
+ },
4749
+ { kind: "index", name: "by_status", columns: ["status"] },
4750
+ {
4751
+ kind: "index",
4752
+ name: "by_workspace_resource",
4753
+ columns: ["workspaceId", "resourceType", "resourceKey"]
4754
+ }
4755
+ ]
4756
+ });
4757
+ defineTable({
4758
+ name: "permitRelationshipTuples",
4759
+ component: "control-plane",
4760
+ category: "access-control",
4761
+ shape: z.object({
4762
+ tenantId: z.string(),
4763
+ workspaceId: z.optional(z.string()),
4764
+ relation: z.string(),
4765
+ subject: z.string(),
4766
+ object: z.string(),
4767
+ resourceType: z.string().optional(),
4768
+ resourceKey: z.string().optional(),
4769
+ status: permitRecordStatus,
4770
+ attributes: z.record(z.any()).optional(),
4771
+ createdBy: z.string(),
4772
+ createdAt: z.number(),
4773
+ updatedAt: z.number(),
4774
+ lastSeenAt: z.number().optional(),
4775
+ updatedBy: z.string().optional()
4776
+ }),
4777
+ indices: [
4778
+ { kind: "index", name: "by_tenant_subject", columns: ["tenantId", "subject"] },
4779
+ { kind: "index", name: "by_tenant_object", columns: ["tenantId", "object"] },
4780
+ { kind: "index", name: "by_tenant_relation", columns: ["tenantId", "relation"] },
4781
+ {
4782
+ kind: "index",
4783
+ name: "by_tenant_relation_subject",
4784
+ columns: ["tenantId", "relation", "subject"]
4785
+ },
4786
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4787
+ ]
4788
+ });
4789
+ defineTable({
4790
+ name: "permitAttributeBindings",
4791
+ component: "control-plane",
4792
+ category: "access-control",
4793
+ shape: z.object({
4794
+ tenantId: z.string(),
4795
+ workspaceId: z.optional(z.string()),
4796
+ targetType: permitRoleBindingTarget,
4797
+ targetId: z.string(),
4798
+ attributeName: z.string(),
4799
+ attributeType: permitAttributeType,
4800
+ attributeOperator: permitAttributeOperator,
4801
+ attributeValue: z.any(),
4802
+ status: permitRecordStatus,
4803
+ source: z.string().optional(),
4804
+ sourceRef: z.string().optional(),
4805
+ metadata: z.record(z.any()).optional(),
4806
+ createdAt: z.number(),
4807
+ updatedAt: z.number(),
4808
+ createdBy: z.string(),
4809
+ updatedBy: z.string().optional(),
4810
+ expiresAt: z.number().optional()
4811
+ }),
4812
+ indices: [
4813
+ {
4814
+ kind: "index",
4815
+ name: "by_tenant_target",
4816
+ columns: ["tenantId", "targetType", "targetId"]
4817
+ },
4818
+ {
4819
+ kind: "index",
4820
+ name: "by_tenant_target_attribute",
4821
+ columns: ["tenantId", "targetType", "targetId", "attributeName"]
4822
+ },
4823
+ {
4824
+ kind: "index",
4825
+ name: "by_tenant_name",
4826
+ columns: ["tenantId", "attributeName"]
4827
+ },
4828
+ {
4829
+ kind: "index",
4830
+ name: "by_tenant_status",
4831
+ columns: ["tenantId", "status"]
4832
+ }
4833
+ ]
4834
+ });
4835
+ defineTable({
4836
+ name: "permitPolicyBundles",
4837
+ component: "control-plane",
4838
+ category: "access-control",
4839
+ shape: z.object({
4840
+ tenantId: z.string(),
4841
+ workspaceId: z.optional(z.string()),
4842
+ bundleKey: z.string(),
4843
+ version: z.number(),
4844
+ status: permitPolicyBundleStatus,
4845
+ policyHash: z.string().optional(),
4846
+ policyPayload: z.record(z.any()),
4847
+ metadata: z.record(z.any()).optional(),
4848
+ createdBy: z.string(),
4849
+ reviewedBy: z.string().optional(),
4850
+ createdAt: z.number(),
4851
+ updatedAt: z.number(),
4852
+ retiredAt: z.number().optional()
4853
+ }),
4854
+ indices: [
4855
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4856
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4857
+ {
4858
+ kind: "index",
4859
+ name: "by_tenant_bundleKey",
4860
+ columns: ["tenantId", "bundleKey"]
4861
+ },
4862
+ {
4863
+ kind: "index",
4864
+ name: "by_tenant_bundle_version",
4865
+ columns: ["tenantId", "bundleKey", "version"]
4866
+ },
4867
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4868
+ ]
4869
+ });
4870
+ defineTable({
4871
+ name: "permitProjectionOutbox",
4872
+ component: "control-plane",
4873
+ category: "access-control",
4874
+ shape: z.object({
4875
+ syncKey: z.string(),
4876
+ objectType: permitObjectType,
4877
+ objectId: z.string(),
4878
+ operation: permitOutboxOperation,
4879
+ payload: z.record(z.any()),
4880
+ status: permitRecordStatus,
4881
+ attemptCount: z.number(),
4882
+ nextAttemptAt: z.number().optional(),
4883
+ lastError: z.string().optional(),
4884
+ tenantId: z.string().optional(),
4885
+ workspaceId: z.optional(z.string()),
4886
+ principalId: z.string().optional(),
4887
+ permitTenantKey: z.string().optional(),
4888
+ permitResourceType: z.string().optional(),
4889
+ permitResourceKey: z.string().optional(),
4890
+ createdAt: z.number(),
4891
+ updatedAt: z.number(),
4892
+ lastHandledAt: z.number().optional()
4893
+ }),
4894
+ indices: [
4895
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
4896
+ { kind: "index", name: "by_status", columns: ["status"] },
4897
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4898
+ {
4899
+ kind: "index",
4900
+ name: "by_tenant_status",
4901
+ columns: ["tenantId", "status"]
4902
+ },
4903
+ {
4904
+ kind: "index",
4905
+ name: "by_objectType",
4906
+ columns: ["objectType", "status"]
4907
+ }
4908
+ ]
4909
+ });
4910
+ defineTable({
4911
+ name: "tenantPermitSyncStates",
4912
+ component: "control-plane",
4913
+ category: "access-control",
4914
+ shape: z.object({
4915
+ syncKey: z.string(),
4916
+ objectType: permitObjectType,
4917
+ objectId: z.string(),
4918
+ tenantId: z.string().optional(),
4919
+ workspaceId: z.string().optional(),
4920
+ principalId: z.string().optional(),
4921
+ permitTenantKey: z.string().optional(),
4922
+ permitResourceType: z.string().optional(),
4923
+ permitResourceKey: z.string().optional(),
4924
+ desiredPayload: z.record(z.any()),
4925
+ lastAppliedPayloadHash: z.string().optional(),
4926
+ status: permitSyncStatus,
4927
+ attemptCount: z.number(),
4928
+ lastError: z.string().optional(),
4929
+ nextAttemptAt: z.number().optional(),
4930
+ lastSyncedAt: z.number().optional(),
4931
+ createdBy: z.string(),
4932
+ updatedBy: z.string().optional(),
4933
+ createdAt: z.number(),
4934
+ updatedAt: z.number()
4935
+ }),
4936
+ indices: [
4937
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
4938
+ { kind: "index", name: "by_status", columns: ["status"] },
4939
+ {
4940
+ kind: "index",
4941
+ name: "by_tenant_status",
4942
+ columns: ["tenantId", "status"]
4943
+ },
4944
+ {
4945
+ kind: "index",
4946
+ name: "by_workspace_status",
4947
+ columns: ["workspaceId", "status"]
4948
+ },
4949
+ {
4950
+ kind: "index",
4951
+ name: "by_principal_status",
4952
+ columns: ["principalId", "status"]
4953
+ }
4954
+ ]
4955
+ });
4956
+ defineTable({
4957
+ name: "permitPolicyDecisionReceipts",
4958
+ component: "control-plane",
4959
+ category: "access-control",
4960
+ shape: z.object({
4961
+ tenantId: z.string().optional(),
4962
+ workspaceId: z.string().optional(),
4963
+ principalId: z.string(),
4964
+ subjectType: permitAccessReviewSubjectType.optional(),
4965
+ subjectId: z.string().optional(),
4966
+ resourceType: z.string(),
4967
+ resourceId: z.string(),
4968
+ action: z.string(),
4969
+ decision: permitDecision,
4970
+ reasonCode: z.string(),
4971
+ policyBundleId: z.string().optional(),
4972
+ policyVersion: z.string(),
4973
+ traceId: z.string().optional(),
4974
+ requestId: z.string().optional(),
4975
+ audienceMode: z.string().optional(),
4976
+ audienceKey: z.string().optional(),
4977
+ audienceClass: z.enum(["internal", "restricted_external", "public"]).optional(),
4978
+ metadata: z.record(z.any()).optional(),
4979
+ createdAt: z.number(),
4980
+ expiresAt: z.number().optional(),
4981
+ createdBy: z.string().optional()
4982
+ }),
4983
+ indices: [
4984
+ { kind: "index", name: "by_principal_createdAt", columns: ["principalId", "createdAt"] },
4985
+ { kind: "index", name: "by_tenant_createdAt", columns: ["tenantId", "createdAt"] },
4986
+ { kind: "index", name: "by_resource", columns: ["resourceType", "resourceId"] },
4987
+ { kind: "index", name: "by_decision_createdAt", columns: ["decision", "createdAt"] },
4988
+ { kind: "index", name: "by_traceId", columns: ["traceId"] },
4989
+ { kind: "index", name: "by_action", columns: ["action"] }
4990
+ ]
4991
+ });
4992
+ defineTable({
4993
+ name: "permitAccessReviews",
4994
+ component: "control-plane",
4995
+ category: "access-control",
4996
+ shape: z.object({
4997
+ tenantId: z.string(),
4998
+ workspaceId: z.optional(z.string()),
4999
+ reviewKey: z.string(),
5000
+ scope: permitReviewScope,
5001
+ status: permitAccessReviewStatus,
5002
+ subjectType: permitAccessReviewSubjectType,
5003
+ subjectId: z.string(),
5004
+ resourceType: z.string().optional(),
5005
+ resourceKey: z.string().optional(),
5006
+ outcome: z.enum(["allow", "deny"]).optional(),
5007
+ requestedBy: z.string(),
5008
+ reviewedBy: z.string().optional(),
5009
+ requestedAt: z.number(),
5010
+ reviewedAt: z.number().optional(),
5011
+ dueAt: z.number().optional(),
5012
+ justification: z.string().optional(),
5013
+ rationale: z.string().optional(),
5014
+ policyBundleId: z.string().optional(),
5015
+ metadata: z.record(z.any()).optional(),
5016
+ createdAt: z.number(),
5017
+ updatedAt: z.number()
5018
+ }),
5019
+ indices: [
5020
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
5021
+ { kind: "index", name: "by_tenant_reviewKey", columns: ["tenantId", "reviewKey"] },
5022
+ { kind: "index", name: "by_subject", columns: ["subjectType", "subjectId"] },
5023
+ {
5024
+ kind: "index",
5025
+ name: "by_tenant_subject",
5026
+ columns: ["tenantId", "subjectType", "subjectId"]
5027
+ },
5028
+ { kind: "index", name: "by_outcome", columns: ["outcome"] },
5029
+ {
5030
+ kind: "index",
5031
+ name: "by_workspace_status",
5032
+ columns: ["workspaceId", "status"]
5033
+ }
5034
+ ]
5035
+ });
5036
+ defineTable({
5037
+ name: "permitAccessReviewItems",
5038
+ component: "control-plane",
5039
+ category: "access-control",
5040
+ shape: z.object({
5041
+ reviewKey: z.string(),
5042
+ itemKey: z.string(),
5043
+ tenantId: z.string(),
5044
+ workspaceId: z.string().optional(),
5045
+ subjectType: permitAccessReviewSubjectType,
5046
+ subjectId: z.string(),
5047
+ resourceType: z.string().optional(),
5048
+ resourceKey: z.string().optional(),
5049
+ role: z.string().optional(),
5050
+ relation: z.string().optional(),
5051
+ status: z.enum(["open", "approved", "revoked", "changed", "deferred"]),
5052
+ reviewerId: z.string().optional(),
5053
+ decisionAt: z.number().optional(),
5054
+ rationale: z.string().optional(),
5055
+ metadata: z.record(z.any()).optional(),
5056
+ createdAt: z.number(),
5057
+ updatedAt: z.number()
5058
+ }),
5059
+ indices: [
5060
+ { kind: "index", name: "by_reviewKey", columns: ["reviewKey"] },
5061
+ { kind: "index", name: "by_tenant_reviewKey", columns: ["tenantId", "reviewKey"] },
5062
+ { kind: "index", name: "by_tenant_itemKey", columns: ["tenantId", "itemKey"] },
5063
+ { kind: "index", name: "by_subject", columns: ["subjectType", "subjectId"] },
5064
+ { kind: "index", name: "by_status", columns: ["status"] }
5065
+ ]
5066
+ });
5067
+ defineTable({
5068
+ name: "reasoningPermissions",
5069
+ component: "control-plane",
5070
+ category: "epistemic",
5071
+ shape: z.object({
5072
+ "topicId": z.string().optional(),
5073
+ "principalId": z.string(),
5074
+ "nodeType": z.enum(["belief", "evidence", "action", "approval", "artifact"]),
5075
+ "action": z.enum(["view_conclusion", "view_evidence", "propose_action", "approve_action", "view_derived_artifact"]),
5076
+ "effect": z.enum(["allow", "deny"]),
5077
+ "policyReference": z.string().optional(),
5078
+ "rationale": z.string().optional(),
5079
+ "metadata": z.record(z.any()).optional(),
5080
+ "createdAt": z.number(),
5081
+ "createdBy": z.string(),
5082
+ "updatedAt": z.number()
5083
+ }),
5084
+ indices: [
5085
+ { kind: "index", name: "by_topic_principal", columns: ["topicId", "principalId"] },
5086
+ { kind: "index", name: "by_topic_principal_action", columns: ["topicId", "principalId", "action"] },
5087
+ { kind: "index", name: "by_topic_principal_node_action", columns: ["topicId", "principalId", "nodeType", "action"] },
5088
+ { kind: "index", name: "by_principal_action", columns: ["principalId", "action"] }
5089
+ ]
5090
+ });
5091
+ defineTable({
5092
+ name: "schemaEnumConfig",
5093
+ component: "kernel",
5094
+ category: "config",
5095
+ shape: z.object({
5096
+ "tenantId": z.string().optional(),
5097
+ "category": z.string(),
5098
+ "value": z.string(),
5099
+ "label": z.string(),
5100
+ "description": z.string().optional(),
5101
+ "tier": z.enum(["platform", "tenant"]),
5102
+ "domainNamespace": z.string().optional(),
5103
+ "metadata": z.any().optional(),
5104
+ "isDefault": z.boolean().optional(),
5105
+ "sortOrder": z.number().optional(),
5106
+ "status": z.enum(["active", "deprecated"]),
5107
+ "createdAt": z.number(),
5108
+ "updatedAt": z.number()
5109
+ }),
5110
+ indices: [
5111
+ { kind: "index", name: "by_category", columns: ["category"] },
5112
+ { kind: "index", name: "by_tenant_category", columns: ["tenantId", "category"] },
5113
+ { kind: "index", name: "by_category_value", columns: ["category", "value"] }
5114
+ ]
5115
+ });
5116
+ defineTable({
5117
+ name: "tasks",
5118
+ component: "kernel",
5119
+ category: "task",
5120
+ shape: z.object({
5121
+ "topicId": z.string().optional(),
5122
+ "tenantId": z.string().optional(),
5123
+ "workspaceId": z.string().optional(),
5124
+ "title": z.string(),
5125
+ "description": z.string().optional(),
5126
+ "status": z.enum(["todo", "in_progress", "blocked", "done"]),
5127
+ "priority": z.enum(["urgent", "high", "medium", "low"]),
5128
+ "dueDate": z.number().optional(),
5129
+ "linkedWorktreeId": idOf("worktrees").optional(),
5130
+ "linkedBeliefId": z.string().optional(),
5131
+ "linkedQuestionId": z.string().optional(),
5132
+ "taskType": z.enum(["general", "find_evidence", "verify_claim", "research", "review", "interview", "analysis", "track_metrics"]).optional(),
5133
+ "assigneeId": z.string().optional(),
5134
+ "blockedReason": z.string().optional(),
5135
+ "blockedBy": z.array(idOf("tasks")).optional(),
5136
+ "blocks": z.array(idOf("tasks")).optional(),
5137
+ "sortOrder": z.number().optional(),
5138
+ "executionOrder": z.number().optional(),
5139
+ "subtasks": z.array(z.object({
5140
+ "id": z.string(),
5141
+ "title": z.string(),
5142
+ "completed": z.boolean(),
5143
+ "completedAt": z.number().optional()
5144
+ })).optional(),
5145
+ "comments": z.array(z.object({
5146
+ "id": z.string(),
5147
+ "userId": z.string(),
5148
+ "content": z.string(),
5149
+ "createdAt": z.number()
5150
+ })).optional(),
5151
+ "attachments": z.array(z.object({
4205
5152
  "id": z.string(),
4206
5153
  "type": z.enum(["call_script", "email_template", "research_plan", "framework", "checklist", "note", "file", "transcript"]),
4207
5154
  "title": z.string(),
@@ -4354,6 +5301,7 @@ defineTable({
4354
5301
  "updatedAt": z.number()
4355
5302
  }),
4356
5303
  indices: [
5304
+ { kind: "index", name: "by_globalId", columns: ["globalId"] },
4357
5305
  { kind: "index", name: "by_parent", columns: ["parentTopicId"] },
4358
5306
  { kind: "index", name: "by_type", columns: ["type"] },
4359
5307
  { kind: "index", name: "by_graph_scope_project", columns: ["graphScopeProjectId"] },
@@ -4365,7 +5313,7 @@ defineTable({
4365
5313
  });
4366
5314
  defineTable({
4367
5315
  name: "users",
4368
- component: "identity",
5316
+ component: "control-plane",
4369
5317
  category: "user",
4370
5318
  shape: z.object({
4371
5319
  "clerkId": z.string(),
@@ -4479,7 +5427,6 @@ defineTable({
4479
5427
  "deployments": z.record(z.object({
4480
5428
  "url": z.string(),
4481
5429
  "target": z.enum(["kernelDeployment", "appDeployment"]).optional(),
4482
- "encryptedDeployKey": z.string().optional(),
4483
5430
  "credentialRef": z.string().optional()
4484
5431
  })).optional(),
4485
5432
  "metadata": z.record(z.any()).optional(),
@@ -4494,6 +5441,39 @@ defineTable({
4494
5441
  { kind: "index", name: "by_status", columns: ["status"] }
4495
5442
  ]
4496
5443
  });
5444
+ defineTable({
5445
+ name: "deploymentHosts",
5446
+ component: "mc",
5447
+ category: "workspace",
5448
+ shape: z.object({
5449
+ "host": z.string(),
5450
+ "tenantId": idOf("tenants"),
5451
+ "workspaceId": idOf("workspaces"),
5452
+ "environment": z.enum(["dev", "staging", "prod"]),
5453
+ "target": z.enum(["kernelDeployment", "appDeployment"]),
5454
+ "deploymentUrl": z.string().optional(),
5455
+ "deploymentName": z.string().optional(),
5456
+ "vercelProjectName": z.string().optional(),
5457
+ "vercelProjectId": z.string().optional(),
5458
+ "vercelEnvironment": z.enum(["development", "preview", "staging", "production"]).optional(),
5459
+ "source": z.enum(["vercel_preview", "vercel_production", "vercel_custom_environment", "custom_domain", "manual"]),
5460
+ "status": z.enum(["active", "revoked"]),
5461
+ "metadata": z.record(z.any()).optional(),
5462
+ "createdBy": z.string(),
5463
+ "createdAt": z.number(),
5464
+ "updatedAt": z.number(),
5465
+ "revokedAt": z.number().optional(),
5466
+ "revokedBy": z.string().optional()
5467
+ }),
5468
+ indices: [
5469
+ { kind: "index", name: "by_host", columns: ["host"] },
5470
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
5471
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
5472
+ { kind: "index", name: "by_tenant_workspace_environment", columns: ["tenantId", "workspaceId", "environment"] },
5473
+ { kind: "index", name: "by_workspace_status", columns: ["workspaceId", "status"] },
5474
+ { kind: "index", name: "by_status", columns: ["status"] }
5475
+ ]
5476
+ });
4497
5477
  defineTable({
4498
5478
  name: "worktreeBeliefCluster",
4499
5479
  component: "kernel",
@@ -4801,8 +5781,8 @@ defineTable({
4801
5781
  });
4802
5782
  z.object({
4803
5783
  manifestVersion: z.string(),
4804
- componentName: z.enum(["kernel", "identity"]),
4805
- tier: z.enum(["K", "I"]),
5784
+ componentName: z.enum(["kernel", "control-plane"]),
5785
+ tier: z.enum(["K", "CP"]),
4806
5786
  packageVersion: z.string(),
4807
5787
  tables: z.array(
4808
5788
  z.object({
@@ -4969,7 +5949,7 @@ var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
4969
5949
  },
4970
5950
  {
4971
5951
  packageName: "@lucern/control-plane",
4972
- role: "platform_runtime",
5952
+ role: "component_runtime",
4973
5953
  directTenantImport: false
4974
5954
  },
4975
5955
  {
@@ -4978,79 +5958,948 @@ var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
4978
5958
  directTenantImport: false
4979
5959
  },
4980
5960
  {
4981
- packageName: "@lucern/events",
4982
- role: "sdk_dependency",
4983
- directTenantImport: false
5961
+ packageName: "@lucern/events",
5962
+ role: "sdk_dependency",
5963
+ directTenantImport: false
5964
+ },
5965
+ {
5966
+ packageName: "@lucern/graph-primitives",
5967
+ role: "sdk_dependency",
5968
+ directTenantImport: false
5969
+ },
5970
+ {
5971
+ packageName: "@lucern/graph-sync",
5972
+ role: "host_addon_runtime",
5973
+ directTenantImport: true
5974
+ },
5975
+ {
5976
+ packageName: "@lucern/mcp",
5977
+ role: "runtime_entrypoint",
5978
+ directTenantImport: true
5979
+ },
5980
+ {
5981
+ packageName: "@lucern/pack-host",
5982
+ role: "platform_runtime",
5983
+ directTenantImport: false
5984
+ },
5985
+ {
5986
+ packageName: "@lucern/pack-installer",
5987
+ role: "developer_tool",
5988
+ directTenantImport: false
5989
+ },
5990
+ {
5991
+ packageName: "@lucern/proof-compiler",
5992
+ role: "developer_tool",
5993
+ directTenantImport: false
5994
+ },
5995
+ {
5996
+ packageName: "@lucern/react",
5997
+ role: "runtime_entrypoint",
5998
+ directTenantImport: true
5999
+ },
6000
+ {
6001
+ packageName: "@lucern/reasoning-kernel",
6002
+ role: "component_runtime",
6003
+ directTenantImport: false
6004
+ },
6005
+ {
6006
+ packageName: "@lucern/sdk",
6007
+ role: "runtime_entrypoint",
6008
+ directTenantImport: true
6009
+ },
6010
+ {
6011
+ packageName: "@lucern/secrets",
6012
+ role: "sdk_dependency",
6013
+ directTenantImport: false
6014
+ },
6015
+ {
6016
+ packageName: "@lucern/server-core",
6017
+ role: "platform_runtime",
6018
+ directTenantImport: false
6019
+ },
6020
+ {
6021
+ packageName: "@lucern/testing",
6022
+ role: "test_support",
6023
+ directTenantImport: false
6024
+ },
6025
+ {
6026
+ packageName: "@lucern/types",
6027
+ role: "contract_entrypoint",
6028
+ directTenantImport: true
6029
+ }
6030
+ ];
6031
+ TENANT_CLIENT_INSTALLABLE_PACKAGES.map(
6032
+ (entry) => entry.packageName
6033
+ );
6034
+
6035
+ // ../contracts/src/infisical-runtime.contract.ts
6036
+ var INFISICAL_TENANT_SOFTWARE_SYSTEMS = [
6037
+ {
6038
+ id: "stack-frontend",
6039
+ tenantKey: "stack",
6040
+ workspaceKey: "frontend",
6041
+ vercelProjectName: "ai-chatbot-diao",
6042
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
6043
+ vercelProjectId: "prj_PihFw8kohSSw14nZs9YQV3xVo517",
6044
+ vercelWriterTokenEnv: "STACK_VERCEL_TOKEN",
6045
+ repository: {
6046
+ owner: "stack-vc",
6047
+ name: "front-end"
6048
+ },
6049
+ sharedSourcePath: "/tenants/stack",
6050
+ sharedVariablePolicy: "tenant_shared_all_systems",
6051
+ convex: {
6052
+ urlEnv: "CONVEX_FRONTEND_URL",
6053
+ deployKeyEnv: "CONVEX_FRONTEND_DEPLOY_KEY",
6054
+ preprodDeployment: "rugged-lobster-664",
6055
+ prodDeployment: "wonderful-toucan-0"
6056
+ }
6057
+ },
6058
+ {
6059
+ id: "stackos",
6060
+ tenantKey: "stack",
6061
+ workspaceKey: "stackos",
6062
+ vercelProjectName: "stackos",
6063
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
6064
+ vercelProjectId: "prj_rXLAL0Z6v9p1fasKbomby6GI7kau",
6065
+ vercelWriterTokenEnv: "STACK_VERCEL_TOKEN",
6066
+ repository: {
6067
+ owner: "stack-vc",
6068
+ name: "stackos"
6069
+ },
6070
+ sharedSourcePath: "/tenants/stack",
6071
+ sharedVariablePolicy: "tenant_shared_all_systems",
6072
+ convex: {
6073
+ urlEnv: "CONVEX_STACKOS_URL",
6074
+ deployKeyEnv: "CONVEX_STACKOS_DEPLOY_KEY",
6075
+ preprodDeployment: "giant-mandrill-761",
6076
+ prodDeployment: "good-snake-515"
6077
+ }
6078
+ },
6079
+ {
6080
+ id: "stack-eng",
6081
+ tenantKey: "stack",
6082
+ workspaceKey: "engineering",
6083
+ vercelProjectName: "stackos-engineering-graph",
6084
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
6085
+ vercelProjectId: "prj_zAU0Zn9GkbHjHI63dxW4vLpmoqTJ",
6086
+ vercelWriterTokenEnv: "STACK_VERCEL_TOKEN",
6087
+ repository: {
6088
+ owner: "stack-vc",
6089
+ name: "stackos-engineering-graph"
6090
+ },
6091
+ sharedSourcePath: "/tenants/stack/engineering",
6092
+ sharedVariablePolicy: "tenant_shared_all_systems",
6093
+ convex: {
6094
+ urlEnv: "CONVEX_STACK_ENG_URL",
6095
+ deployKeyEnv: "CONVEX_STACK_ENG_DEPLOY_KEY",
6096
+ preprodDeployment: "small-oyster-270",
6097
+ prodDeployment: "bold-cuttlefish-804"
6098
+ }
6099
+ },
6100
+ {
6101
+ id: "lucern-graph",
6102
+ tenantKey: "lucern",
6103
+ workspaceKey: "lucern",
6104
+ vercelProjectName: "lucern-graph",
6105
+ vercelTeamId: "team_vTHxxs8GAoAFUe6RWMlYt7fY",
6106
+ vercelProjectId: "prj_KJ8EKV8vGM5xURpqmwTwmECEGPgQ",
6107
+ vercelWriterTokenEnv: "LUCERN_VERCEL_TOKEN",
6108
+ repository: {
6109
+ owner: "LucernAI",
6110
+ name: "lucern-graph"
6111
+ },
6112
+ sharedSourcePath: "/tenants/lucern/shared",
6113
+ sharedVariablePolicy: "tenant_shared_all_systems",
6114
+ convex: {
6115
+ urlEnv: "CONVEX_LUCERN_URL",
6116
+ deployKeyEnv: "CONVEX_LUCERN_DEPLOY_KEY",
6117
+ preprodDeployment: "good-blackbird-774",
6118
+ prodDeployment: "precious-dog-365"
6119
+ }
6120
+ }
6121
+ ];
6122
+ var TENANT_SHARED_SECRET_DEFINITION_TEMPLATES = [
6123
+ {
6124
+ idSuffix: "clerk.publishable",
6125
+ canonicalName: "NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY",
6126
+ aliases: ["CLERK_PUBLISHABLE_KEY"],
6127
+ required: true,
6128
+ secret: false,
6129
+ public: true,
6130
+ description: "Tenant-owned Clerk browser key. For Stack this is the master clerk.stack.vc project shared by front-end, StackOS, and the engineering workspace."
6131
+ },
6132
+ {
6133
+ idSuffix: "clerk.secret",
6134
+ canonicalName: "CLERK_SECRET_KEY",
6135
+ required: true,
6136
+ secret: true,
6137
+ public: false,
6138
+ description: "Tenant-owned Clerk backend secret used only by that tenant's server runtimes."
6139
+ },
6140
+ {
6141
+ idSuffix: "clerk.project",
6142
+ canonicalName: "CLERK_PROJECT_ID",
6143
+ required: true,
6144
+ secret: false,
6145
+ public: false,
6146
+ description: "Tenant-owned Clerk project id used to resolve canonical Clerk aliases."
6147
+ },
6148
+ {
6149
+ idSuffix: "clerk.jwks",
6150
+ canonicalName: "CLERK_JWT_ISSUER_DOMAIN",
6151
+ aliases: ["CLERK_ISSUER_URL", "CLERK_JWKS_URL"],
6152
+ required: false,
6153
+ secret: false,
6154
+ public: false,
6155
+ description: "Tenant Clerk issuer/JWKS URL consumed by Convex auth.config.ts."
6156
+ },
6157
+ {
6158
+ idSuffix: "clerk.jwt-key",
6159
+ canonicalName: "CLERK_JWT_KEY",
6160
+ required: false,
6161
+ secret: true,
6162
+ public: false,
6163
+ description: "Tenant Clerk JWT public verification key used by bearer-token API routes."
6164
+ },
6165
+ {
6166
+ idSuffix: "clerk.authorized-parties",
6167
+ canonicalName: "CLERK_AUTHORIZED_PARTIES",
6168
+ aliases: ["CLERK_MOBILE_AUTHORIZED_PARTIES"],
6169
+ required: false,
6170
+ secret: false,
6171
+ public: false,
6172
+ description: "Comma-separated Clerk authorized parties for browser and mobile bearer-token validation."
6173
+ },
6174
+ {
6175
+ idSuffix: "clerk.sign-in-url",
6176
+ canonicalName: "NEXT_PUBLIC_CLERK_SIGN_IN_URL",
6177
+ required: false,
6178
+ secret: false,
6179
+ public: true,
6180
+ description: "Tenant Clerk sign-in route for custom app login surfaces."
6181
+ },
6182
+ {
6183
+ idSuffix: "clerk.sign-up-url",
6184
+ canonicalName: "NEXT_PUBLIC_CLERK_SIGN_UP_URL",
6185
+ required: false,
6186
+ secret: false,
6187
+ public: true,
6188
+ description: "Tenant Clerk sign-up route for custom app login surfaces."
6189
+ }
6190
+ ];
6191
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap(
6192
+ (system) => TENANT_SHARED_SECRET_DEFINITION_TEMPLATES.map(
6193
+ (template) => ({
6194
+ id: `tenant.${system.id}.${template.idSuffix}`,
6195
+ canonicalName: template.canonicalName,
6196
+ aliases: "aliases" in template ? template.aliases : void 0,
6197
+ owner: "tenant",
6198
+ scope: "tenant",
6199
+ sourcePath: system.sharedSourcePath,
6200
+ environmentPolicy: "environment_specific",
6201
+ required: template.required,
6202
+ secret: template.secret,
6203
+ public: template.public,
6204
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6205
+ destinations: [
6206
+ {
6207
+ kind: "vercel",
6208
+ target: system.vercelProjectName,
6209
+ environmentPolicy: "preprod_staging_prod_prod"
6210
+ },
6211
+ {
6212
+ kind: "convex",
6213
+ target: `${system.convex.preprodDeployment}|${system.convex.prodDeployment}`,
6214
+ environmentPolicy: "preprod_staging_prod_prod"
6215
+ }
6216
+ ],
6217
+ description: `${system.tenantKey}/${system.workspaceKey}: ${template.description}`
6218
+ })
6219
+ )
6220
+ );
6221
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.map(
6222
+ (system) => ({
6223
+ id: `tenant.${system.id}.install-lucern-npm`,
6224
+ canonicalName: "INSTALL_LUCERN_NPM",
6225
+ owner: "provider",
6226
+ scope: "global",
6227
+ sourcePath: "/tenants/shared",
6228
+ environmentPolicy: "same_all_environments",
6229
+ required: true,
6230
+ secret: true,
6231
+ public: false,
6232
+ consumers: ["tenant-vercel-app", "tenant-deploy-tooling"],
6233
+ destinations: [
6234
+ {
6235
+ kind: "vercel",
6236
+ target: system.vercelProjectName,
6237
+ environmentPolicy: "same_all_environments"
6238
+ },
6239
+ {
6240
+ kind: "github_actions",
6241
+ target: `${system.repository.owner}/${system.repository.name}`,
6242
+ environmentPolicy: "same_all_environments"
6243
+ }
6244
+ ],
6245
+ description: `${system.tenantKey}/${system.workspaceKey}: read-only npm install token for published @lucern/* packages.`
6246
+ })
6247
+ );
6248
+ var TENANT_PRODUCT_SOFTWARE_SYSTEM_IDS = ["stack-frontend", "stackos"];
6249
+ var TENANT_PRODUCT_RUNTIME_SECRET_DEFINITION_TEMPLATES = [
6250
+ {
6251
+ idSuffix: "ai.openai-api-key",
6252
+ canonicalName: "OPENAI_API_KEY",
6253
+ required: false,
6254
+ secret: true,
6255
+ public: false,
6256
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
6257
+ description: "Tenant-owned OpenAI key for product runtime LLM calls."
6258
+ },
6259
+ {
6260
+ idSuffix: "ai.anthropic-api-key",
6261
+ canonicalName: "ANTHROPIC_API_KEY",
6262
+ required: false,
6263
+ secret: true,
6264
+ public: false,
6265
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
6266
+ description: "Tenant-owned Anthropic key for product runtime LLM calls."
6267
+ },
6268
+ {
6269
+ idSuffix: "ai.gemini-api-key",
6270
+ canonicalName: "GEMINI_API_KEY",
6271
+ aliases: ["GOOGLE_AI_API_KEY", "GOOGLE_GENERATIVE_AI_API_KEY"],
6272
+ required: false,
6273
+ secret: true,
6274
+ public: false,
6275
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
6276
+ description: "Tenant-owned Google/Gemini key for product runtime LLM calls."
6277
+ },
6278
+ {
6279
+ idSuffix: "langfuse.secret-key",
6280
+ canonicalName: "LANGFUSE_SECRET_KEY",
6281
+ required: false,
6282
+ secret: true,
6283
+ public: false,
6284
+ consumers: [
6285
+ "tenant-vercel-app",
6286
+ "tenant-convex-deployment",
6287
+ "tenant-observability"
6288
+ ],
6289
+ description: "Tenant-owned Langfuse secret key for product AI tracing."
6290
+ },
6291
+ {
6292
+ idSuffix: "langfuse.public-key",
6293
+ canonicalName: "LANGFUSE_PUBLIC_KEY",
6294
+ required: false,
6295
+ secret: false,
6296
+ public: false,
6297
+ consumers: [
6298
+ "tenant-vercel-app",
6299
+ "tenant-convex-deployment",
6300
+ "tenant-observability"
6301
+ ],
6302
+ description: "Tenant-owned Langfuse public key for product AI tracing."
6303
+ },
6304
+ {
6305
+ idSuffix: "langfuse.base-url",
6306
+ canonicalName: "LANGFUSE_BASE_URL",
6307
+ aliases: ["LANGFUSE_BASEURL", "LANGFUSE_HOST"],
6308
+ required: false,
6309
+ secret: false,
6310
+ public: false,
6311
+ consumers: [
6312
+ "tenant-vercel-app",
6313
+ "tenant-convex-deployment",
6314
+ "tenant-observability"
6315
+ ],
6316
+ description: "Tenant-owned Langfuse API origin."
6317
+ },
6318
+ {
6319
+ idSuffix: "graph.neo4j-uri",
6320
+ canonicalName: "NEO4J_URI",
6321
+ required: false,
6322
+ secret: false,
6323
+ public: false,
6324
+ consumers: [
6325
+ "tenant-vercel-app",
6326
+ "tenant-convex-deployment",
6327
+ "tenant-graph-sync"
6328
+ ],
6329
+ description: "Tenant-owned Neo4j URI for product graph-sync."
6330
+ },
6331
+ {
6332
+ idSuffix: "graph.neo4j-user",
6333
+ canonicalName: "NEO4J_USER",
6334
+ aliases: ["NEO4J_USERNAME"],
6335
+ required: false,
6336
+ secret: false,
6337
+ public: false,
6338
+ consumers: [
6339
+ "tenant-vercel-app",
6340
+ "tenant-convex-deployment",
6341
+ "tenant-graph-sync"
6342
+ ],
6343
+ description: "Tenant-owned Neo4j user for product graph-sync."
6344
+ },
6345
+ {
6346
+ idSuffix: "graph.neo4j-password",
6347
+ canonicalName: "NEO4J_PASSWORD",
6348
+ required: false,
6349
+ secret: true,
6350
+ public: false,
6351
+ consumers: [
6352
+ "tenant-vercel-app",
6353
+ "tenant-convex-deployment",
6354
+ "tenant-graph-sync"
6355
+ ],
6356
+ description: "Tenant-owned Neo4j password for product graph-sync."
6357
+ },
6358
+ {
6359
+ idSuffix: "graph.neo4j-sync-secret",
6360
+ canonicalName: "NEO4J_SYNC_SECRET",
6361
+ required: false,
6362
+ secret: true,
6363
+ public: false,
6364
+ consumers: [
6365
+ "tenant-vercel-app",
6366
+ "tenant-convex-deployment",
6367
+ "tenant-graph-sync"
6368
+ ],
6369
+ description: "Tenant-owned shared secret for product Convex-to-HTTP graph-sync calls."
6370
+ },
6371
+ {
6372
+ idSuffix: "graph.neo4j-database",
6373
+ canonicalName: "NEO4J_DATABASE",
6374
+ required: false,
6375
+ secret: false,
6376
+ public: false,
6377
+ consumers: [
6378
+ "tenant-vercel-app",
6379
+ "tenant-convex-deployment",
6380
+ "tenant-graph-sync"
6381
+ ],
6382
+ description: "Tenant-owned Neo4j database name for product graph-sync."
6383
+ },
6384
+ {
6385
+ idSuffix: "vector.pinecone-api-key",
6386
+ canonicalName: "PINECONE_API_KEY",
6387
+ required: false,
6388
+ secret: true,
6389
+ public: false,
6390
+ consumers: [
6391
+ "tenant-vercel-app",
6392
+ "tenant-convex-deployment",
6393
+ "tenant-vector-store"
6394
+ ],
6395
+ description: "Tenant-owned Pinecone API key for product vector search."
6396
+ },
6397
+ {
6398
+ idSuffix: "vector.pinecone-index-name",
6399
+ canonicalName: "PINECONE_INDEX_NAME",
6400
+ aliases: ["PINECONE_INDEX"],
6401
+ required: false,
6402
+ secret: false,
6403
+ public: false,
6404
+ consumers: [
6405
+ "tenant-vercel-app",
6406
+ "tenant-convex-deployment",
6407
+ "tenant-vector-store"
6408
+ ],
6409
+ description: "Tenant-owned Pinecone index name for product vector search."
6410
+ },
6411
+ {
6412
+ idSuffix: "vector.pinecone-host",
6413
+ canonicalName: "PINECONE_HOST",
6414
+ aliases: ["PINECONE_INDEX_HOST"],
6415
+ required: false,
6416
+ secret: false,
6417
+ public: false,
6418
+ consumers: [
6419
+ "tenant-vercel-app",
6420
+ "tenant-convex-deployment",
6421
+ "tenant-vector-store"
6422
+ ],
6423
+ description: "Tenant-owned Pinecone host for product vector search."
6424
+ },
6425
+ {
6426
+ idSuffix: "vector.pinecone-namespace",
6427
+ canonicalName: "PINECONE_NAMESPACE",
6428
+ required: false,
6429
+ secret: false,
6430
+ public: false,
6431
+ consumers: [
6432
+ "tenant-vercel-app",
6433
+ "tenant-convex-deployment",
6434
+ "tenant-vector-store"
6435
+ ],
6436
+ description: "Tenant-owned Pinecone namespace for product vector search isolation."
6437
+ },
6438
+ {
6439
+ idSuffix: "storage.aws-access-key-id",
6440
+ canonicalName: "AWS_ACCESS_KEY_ID",
6441
+ required: false,
6442
+ secret: true,
6443
+ public: false,
6444
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6445
+ description: "Tenant-owned AWS access key id for document/file ingestion."
6446
+ },
6447
+ {
6448
+ idSuffix: "storage.aws-secret-access-key",
6449
+ canonicalName: "AWS_SECRET_ACCESS_KEY",
6450
+ required: false,
6451
+ secret: true,
6452
+ public: false,
6453
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6454
+ description: "Tenant-owned AWS secret access key for document/file ingestion."
4984
6455
  },
4985
6456
  {
4986
- packageName: "@lucern/graph-primitives",
4987
- role: "sdk_dependency",
4988
- directTenantImport: false
6457
+ idSuffix: "storage.aws-region",
6458
+ canonicalName: "AWS_REGION",
6459
+ required: false,
6460
+ secret: false,
6461
+ public: false,
6462
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6463
+ description: "Tenant-owned AWS region for document/file ingestion."
4989
6464
  },
4990
6465
  {
4991
- packageName: "@lucern/graph-sync",
4992
- role: "host_addon_runtime",
4993
- directTenantImport: true
6466
+ idSuffix: "observability.sentry-dsn",
6467
+ canonicalName: "NEXT_PUBLIC_SENTRY_DSN",
6468
+ aliases: ["NEXT_PUBLIC_SENTRY_DSN_NEXTJS", "SENTRY_DSN"],
6469
+ required: false,
6470
+ secret: false,
6471
+ public: true,
6472
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6473
+ description: "Tenant-owned Sentry DSN for app telemetry."
4994
6474
  },
4995
6475
  {
4996
- packageName: "@lucern/identity",
4997
- role: "component_runtime",
4998
- directTenantImport: false
6476
+ idSuffix: "observability.sentry-auth-token",
6477
+ canonicalName: "SENTRY_AUTH_TOKEN",
6478
+ required: false,
6479
+ secret: true,
6480
+ public: false,
6481
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
6482
+ description: "Tenant-owned Sentry release token for app deployments."
4999
6483
  },
5000
6484
  {
5001
- packageName: "@lucern/mcp",
5002
- role: "runtime_entrypoint",
5003
- directTenantImport: true
6485
+ idSuffix: "observability.sentry-org",
6486
+ canonicalName: "SENTRY_ORG",
6487
+ aliases: ["SENTRY_ORG_SLUG"],
6488
+ required: false,
6489
+ secret: false,
6490
+ public: false,
6491
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
6492
+ description: "Tenant-owned Sentry org slug for release uploads."
5004
6493
  },
5005
6494
  {
5006
- packageName: "@lucern/pack-host",
5007
- role: "platform_runtime",
5008
- directTenantImport: false
6495
+ idSuffix: "observability.sentry-project",
6496
+ canonicalName: "SENTRY_PROJECT",
6497
+ aliases: ["SENTRY_PROJECT_NEXTJS"],
6498
+ required: false,
6499
+ secret: false,
6500
+ public: false,
6501
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
6502
+ description: "Tenant-owned Sentry project slug for release uploads."
5009
6503
  },
5010
6504
  {
5011
- packageName: "@lucern/pack-installer",
5012
- role: "developer_tool",
5013
- directTenantImport: false
6505
+ idSuffix: "observability.sentry-environment",
6506
+ canonicalName: "NEXT_PUBLIC_SENTRY_ENVIRONMENT",
6507
+ aliases: ["SENTRY_ENVIRONMENT"],
6508
+ required: false,
6509
+ secret: false,
6510
+ public: true,
6511
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6512
+ description: "Tenant-owned Sentry environment label."
5014
6513
  },
5015
6514
  {
5016
- packageName: "@lucern/proof-compiler",
5017
- role: "developer_tool",
5018
- directTenantImport: false
6515
+ idSuffix: "observability.sentry-release",
6516
+ canonicalName: "NEXT_PUBLIC_SENTRY_RELEASE",
6517
+ aliases: ["SENTRY_RELEASE"],
6518
+ required: false,
6519
+ secret: false,
6520
+ public: true,
6521
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6522
+ description: "Tenant-owned Sentry release label."
5019
6523
  },
5020
6524
  {
5021
- packageName: "@lucern/react",
5022
- role: "runtime_entrypoint",
5023
- directTenantImport: true
6525
+ idSuffix: "observability.sentry-client-options",
6526
+ canonicalName: "NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE",
6527
+ aliases: [
6528
+ "NEXT_PUBLIC_SENTRY_CAPTURE_CONSOLE_LEVELS",
6529
+ "NEXT_PUBLIC_SENTRY_CAPTURE_CONSOLE_LEVELS_NEXTJS",
6530
+ "NEXT_PUBLIC_SENTRY_CONSOLE_BREADCRUMB_LEVELS",
6531
+ "NEXT_PUBLIC_SENTRY_CONSOLE_BREADCRUMB_LEVELS_NEXTJS",
6532
+ "NEXT_PUBLIC_SENTRY_CONSOLE_LOG_LEVELS",
6533
+ "NEXT_PUBLIC_SENTRY_CONSOLE_LOG_LEVELS_NEXTJS",
6534
+ "NEXT_PUBLIC_SENTRY_ENABLE_LOGS",
6535
+ "NEXT_PUBLIC_SENTRY_REPLAYS_ON_ERROR_SAMPLE_RATE",
6536
+ "NEXT_PUBLIC_SENTRY_REPLAYS_SESSION_SAMPLE_RATE",
6537
+ "NEXT_PUBLIC_SENTRY_SEND_DEFAULT_PII",
6538
+ "NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE_NEXTJS"
6539
+ ],
6540
+ required: false,
6541
+ secret: false,
6542
+ public: true,
6543
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6544
+ description: "Tenant-owned public Sentry tuning values for Next.js client instrumentation."
5024
6545
  },
5025
6546
  {
5026
- packageName: "@lucern/reasoning-kernel",
5027
- role: "component_runtime",
5028
- directTenantImport: false
6547
+ idSuffix: "observability.sentry-webhook-secret",
6548
+ canonicalName: "SENTRY_WEBHOOK_SECRET",
6549
+ required: false,
6550
+ secret: true,
6551
+ public: false,
6552
+ consumers: ["tenant-convex-deployment", "tenant-observability"],
6553
+ description: "Tenant-owned Sentry webhook verification secret."
5029
6554
  },
5030
6555
  {
5031
- packageName: "@lucern/sdk",
5032
- role: "runtime_entrypoint",
5033
- directTenantImport: true
6556
+ idSuffix: "lucern.gateway-api-key",
6557
+ canonicalName: "LUCERN_API_KEY",
6558
+ aliases: ["STACK_API_KEY"],
6559
+ required: false,
6560
+ secret: true,
6561
+ public: false,
6562
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6563
+ description: "Tenant-scoped Lucern/MC gateway API key for product front-door calls."
5034
6564
  },
5035
6565
  {
5036
- packageName: "@lucern/server-core",
5037
- role: "platform_runtime",
5038
- directTenantImport: false
6566
+ idSuffix: "lucern.gateway-base-url",
6567
+ canonicalName: "LUCERN_BASE_URL",
6568
+ aliases: ["LUCERN_API_BASE_URL", "LUCERN_GATEWAY_BASE_URL"],
6569
+ required: false,
6570
+ secret: false,
6571
+ public: false,
6572
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6573
+ description: "Lucern/MC gateway base URL used by tenant product apps."
5039
6574
  },
5040
6575
  {
5041
- packageName: "@lucern/testing",
5042
- role: "test_support",
5043
- directTenantImport: false
6576
+ idSuffix: "lucern.proxy-token-secret",
6577
+ canonicalName: "LUCERN_PROXY_TOKEN_SECRET",
6578
+ required: false,
6579
+ secret: true,
6580
+ public: false,
6581
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6582
+ description: "Tenant-owned secret for signing internal proxy/session tokens in product apps."
5044
6583
  },
5045
6584
  {
5046
- packageName: "@lucern/types",
5047
- role: "contract_entrypoint",
5048
- directTenantImport: true
6585
+ idSuffix: "tenant.integrations.linear-api-key",
6586
+ canonicalName: "LINEAR_API_KEY",
6587
+ required: false,
6588
+ secret: true,
6589
+ public: false,
6590
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6591
+ description: "Tenant-owned Linear API key for support/slash-command flows."
6592
+ },
6593
+ {
6594
+ idSuffix: "tenant.vercel.bypass-token",
6595
+ canonicalName: "VERCEL_AUTOMATION_BYPASS_SECRET",
6596
+ aliases: ["NEXT_PUBLIC_VERCEL_BYPASS_TOKEN"],
6597
+ required: false,
6598
+ secret: true,
6599
+ public: false,
6600
+ consumers: ["tenant-vercel-app", "tenant-deploy-tooling"],
6601
+ description: "Tenant-owned Vercel automation bypass token. Public alias is legacy and should be removed from app code."
5049
6602
  }
5050
6603
  ];
5051
- TENANT_CLIENT_INSTALLABLE_PACKAGES.map(
5052
- (entry) => entry.packageName
6604
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.filter(
6605
+ (system) => TENANT_PRODUCT_SOFTWARE_SYSTEM_IDS.includes(system.id)
6606
+ ).flatMap(
6607
+ (system) => TENANT_PRODUCT_RUNTIME_SECRET_DEFINITION_TEMPLATES.map(
6608
+ (template) => ({
6609
+ id: `tenant.${system.id}.${template.idSuffix}`,
6610
+ canonicalName: template.canonicalName,
6611
+ aliases: "aliases" in template ? template.aliases : void 0,
6612
+ owner: "tenant",
6613
+ scope: "tenant",
6614
+ sourcePath: system.sharedSourcePath,
6615
+ environmentPolicy: "environment_specific",
6616
+ required: template.required,
6617
+ secret: template.secret,
6618
+ public: template.public,
6619
+ consumers: template.consumers,
6620
+ destinations: [
6621
+ {
6622
+ kind: "vercel",
6623
+ target: system.vercelProjectName,
6624
+ environmentPolicy: "preprod_staging_prod_prod"
6625
+ },
6626
+ {
6627
+ kind: "convex",
6628
+ target: `${system.convex.preprodDeployment}|${system.convex.prodDeployment}`,
6629
+ environmentPolicy: "preprod_staging_prod_prod"
6630
+ },
6631
+ {
6632
+ kind: "github_actions",
6633
+ target: `${system.repository.owner}/${system.repository.name}`,
6634
+ environmentPolicy: "preprod_staging_prod_prod"
6635
+ }
6636
+ ],
6637
+ description: `${system.tenantKey}/${system.workspaceKey}: ${template.description}`
6638
+ })
6639
+ )
6640
+ );
6641
+ function tenantVercelConvexUrlWriteNames(system) {
6642
+ const names = [system.convex.urlEnv, "NEXT_PUBLIC_CONVEX_URL"];
6643
+ if (system.id === "stack-eng") {
6644
+ return [...names, "STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
6645
+ }
6646
+ return names;
6647
+ }
6648
+ function tenantRepositoryConvexUrlWriteNames(system) {
6649
+ if (system.id === "stack-eng") {
6650
+ return [system.convex.urlEnv, "STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
6651
+ }
6652
+ return [system.convex.urlEnv];
6653
+ }
6654
+ function tenantRepositoryConvexDeployKeyWriteNames(system) {
6655
+ if (system.id === "stack-eng") {
6656
+ return [system.convex.deployKeyEnv, "STACKOS_ENGINEERING_GRAPH_DEPLOY_KEY"];
6657
+ }
6658
+ return [system.convex.deployKeyEnv];
6659
+ }
6660
+ function tenantConvexUrlAliases(system) {
6661
+ if (system.id === "stack-frontend") {
6662
+ return [
6663
+ "CONVEX_PROD_URL",
6664
+ "CONVEX_STACK_V2_PROD_URL",
6665
+ "CONVEX_STACK_V2_STAGING_URL",
6666
+ "STACK_CONVEX_URL"
6667
+ ];
6668
+ }
6669
+ if (system.id === "stackos") {
6670
+ return [
6671
+ "CONVEX_CLOUD_URL",
6672
+ "CONVEX_STACK_URL",
6673
+ "CONVEX_URL",
6674
+ "CONVEX_URL_DEVELOPMENT",
6675
+ "CONVEX_URL_PRODUCTION",
6676
+ "STACK_CONVEX_URL"
6677
+ ];
6678
+ }
6679
+ if (system.id === "stack-eng") {
6680
+ return ["STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
6681
+ }
6682
+ if (system.id === "lucern-graph") {
6683
+ return [
6684
+ "CONVEX_GRAPH_URL",
6685
+ "LUCERN_PROD_URL",
6686
+ "NEXT_PUBLIC_LUCERN_GRAPH_URL"
6687
+ ];
6688
+ }
6689
+ return void 0;
6690
+ }
6691
+ function tenantConvexDeployKeyAliases(system) {
6692
+ if (system.id === "stack-frontend") {
6693
+ return [
6694
+ "CONVEX_STACK_V2_PROD_DEPLOY_KEY",
6695
+ "CONVEX_STACK_V2_STAGING_DEPLOY_KEY",
6696
+ "STACK_DEPLOY_KEY"
6697
+ ];
6698
+ }
6699
+ if (system.id === "stackos") {
6700
+ return [
6701
+ "CONVEX_DEPLOY_KEY",
6702
+ "CONVEX_DEV_DEPLOY_KEY",
6703
+ "CONVEX_PROD_DEPLOY_KEY",
6704
+ "CONVEX_STACK_DEPLOY_KEY",
6705
+ "STACK_DEPLOY_KEY"
6706
+ ];
6707
+ }
6708
+ if (system.id === "stack-eng") {
6709
+ return ["CONVEX_DEPLOY_KEY", "STACKOS_ENGINEERING_GRAPH_DEPLOY_KEY"];
6710
+ }
6711
+ if (system.id === "lucern-graph") {
6712
+ return [
6713
+ "CONVEX_DEPLOY_KEY",
6714
+ "CONVEX_GRAPH_DEPLOY_KEY",
6715
+ "LUCERN_CONVEX_DEPLOY_KEY",
6716
+ "LUCERN_DEV_DEPLOY_KEY",
6717
+ "LUCERN_PROD_DEPLOY_KEY"
6718
+ ];
6719
+ }
6720
+ return void 0;
6721
+ }
6722
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap(
6723
+ (system) => {
6724
+ if (system.id === "lucern-graph") {
6725
+ return [
6726
+ {
6727
+ id: "tenant.lucern-graph.public.tenant-id",
6728
+ canonicalName: "NEXT_PUBLIC_LUCERN_GRAPH_TENANT_ID",
6729
+ aliases: ["NEXT_PUBLIC_LUCERN_TENANT_ID"],
6730
+ owner: "tenant",
6731
+ scope: "workspace",
6732
+ sourcePath: system.sharedSourcePath,
6733
+ environmentPolicy: "environment_specific",
6734
+ required: false,
6735
+ secret: false,
6736
+ public: true,
6737
+ consumers: ["tenant-vercel-app"],
6738
+ destinations: [
6739
+ {
6740
+ kind: "vercel",
6741
+ target: system.vercelProjectName,
6742
+ environmentPolicy: "preprod_staging_prod_prod"
6743
+ }
6744
+ ],
6745
+ description: "Lucern graph public tenant id used by the standalone graph explorer."
6746
+ },
6747
+ {
6748
+ id: "tenant.lucern-graph.public.tenant-label",
6749
+ canonicalName: "NEXT_PUBLIC_LUCERN_GRAPH_TENANT_LABEL",
6750
+ owner: "tenant",
6751
+ scope: "workspace",
6752
+ sourcePath: system.sharedSourcePath,
6753
+ environmentPolicy: "environment_specific",
6754
+ required: false,
6755
+ secret: false,
6756
+ public: true,
6757
+ consumers: ["tenant-vercel-app"],
6758
+ destinations: [
6759
+ {
6760
+ kind: "vercel",
6761
+ target: system.vercelProjectName,
6762
+ environmentPolicy: "preprod_staging_prod_prod"
6763
+ }
6764
+ ],
6765
+ description: "Lucern graph public tenant label used by the standalone graph explorer."
6766
+ }
6767
+ ];
6768
+ }
6769
+ if (system.id === "stack-eng") {
6770
+ return [
6771
+ {
6772
+ id: "tenant.stack-eng.public.tenant-id",
6773
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_TENANT_ID",
6774
+ owner: "tenant",
6775
+ scope: "workspace",
6776
+ sourcePath: system.sharedSourcePath,
6777
+ environmentPolicy: "environment_specific",
6778
+ required: false,
6779
+ secret: false,
6780
+ public: true,
6781
+ consumers: ["tenant-vercel-app"],
6782
+ destinations: [
6783
+ {
6784
+ kind: "vercel",
6785
+ target: system.vercelProjectName,
6786
+ environmentPolicy: "preprod_staging_prod_prod"
6787
+ }
6788
+ ],
6789
+ description: "Stack engineering graph public tenant id used by the graph explorer."
6790
+ },
6791
+ {
6792
+ id: "tenant.stack-eng.public.tenant-label",
6793
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_TENANT_LABEL",
6794
+ owner: "tenant",
6795
+ scope: "workspace",
6796
+ sourcePath: system.sharedSourcePath,
6797
+ environmentPolicy: "environment_specific",
6798
+ required: false,
6799
+ secret: false,
6800
+ public: true,
6801
+ consumers: ["tenant-vercel-app"],
6802
+ destinations: [
6803
+ {
6804
+ kind: "vercel",
6805
+ target: system.vercelProjectName,
6806
+ environmentPolicy: "preprod_staging_prod_prod"
6807
+ }
6808
+ ],
6809
+ description: "Stack engineering graph public tenant label used by the graph explorer."
6810
+ },
6811
+ {
6812
+ id: "tenant.stack-eng.public.environment",
6813
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_ENV",
6814
+ owner: "tenant",
6815
+ scope: "workspace",
6816
+ sourcePath: system.sharedSourcePath,
6817
+ environmentPolicy: "environment_specific",
6818
+ required: false,
6819
+ secret: false,
6820
+ public: true,
6821
+ consumers: ["tenant-vercel-app"],
6822
+ destinations: [
6823
+ {
6824
+ kind: "vercel",
6825
+ target: system.vercelProjectName,
6826
+ environmentPolicy: "preprod_staging_prod_prod"
6827
+ }
6828
+ ],
6829
+ description: "Stack engineering graph public environment label used by the graph explorer."
6830
+ }
6831
+ ];
6832
+ }
6833
+ return [];
6834
+ }
5053
6835
  );
6836
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap((system) => [
6837
+ {
6838
+ id: `tenant.${system.id}.convex.url`,
6839
+ canonicalName: system.convex.urlEnv,
6840
+ aliases: tenantConvexUrlAliases(system),
6841
+ owner: "tenant",
6842
+ scope: "software_system",
6843
+ sourcePath: system.sharedSourcePath,
6844
+ environmentPolicy: "preprod_staging_prod_prod",
6845
+ required: true,
6846
+ secret: false,
6847
+ public: false,
6848
+ consumers: [
6849
+ "tenant-vercel-app",
6850
+ "tenant-agent-runtime",
6851
+ "mc-operator-tooling"
6852
+ ],
6853
+ destinations: [
6854
+ {
6855
+ kind: "vercel",
6856
+ target: system.vercelProjectName,
6857
+ environmentPolicy: "preprod_staging_prod_prod",
6858
+ writeNames: tenantVercelConvexUrlWriteNames(system)
6859
+ },
6860
+ {
6861
+ kind: "github_actions",
6862
+ target: `${system.repository.owner}/${system.repository.name}`,
6863
+ environmentPolicy: "preprod_staging_prod_prod",
6864
+ writeNames: tenantRepositoryConvexUrlWriteNames(system),
6865
+ notes: "Only if that repository deploy/test workflow owns this software system."
6866
+ }
6867
+ ],
6868
+ description: `${system.tenantKey}/${system.workspaceKey} Convex URL. Pre-prod resolves to ${system.convex.preprodDeployment}; prod resolves to ${system.convex.prodDeployment}.`
6869
+ },
6870
+ {
6871
+ id: `tenant.${system.id}.convex.deploy-key`,
6872
+ canonicalName: system.convex.deployKeyEnv,
6873
+ aliases: tenantConvexDeployKeyAliases(system),
6874
+ owner: "tenant",
6875
+ scope: "software_system",
6876
+ sourcePath: system.sharedSourcePath,
6877
+ environmentPolicy: "preprod_staging_prod_prod",
6878
+ required: true,
6879
+ secret: true,
6880
+ public: false,
6881
+ consumers: [
6882
+ "tenant-vercel-app",
6883
+ "tenant-agent-runtime",
6884
+ "mc-operator-tooling"
6885
+ ],
6886
+ destinations: [
6887
+ {
6888
+ kind: "vercel",
6889
+ target: system.vercelProjectName,
6890
+ environmentPolicy: "preprod_staging_prod_prod"
6891
+ },
6892
+ {
6893
+ kind: "github_actions",
6894
+ target: `${system.repository.owner}/${system.repository.name}`,
6895
+ environmentPolicy: "preprod_staging_prod_prod",
6896
+ writeNames: tenantRepositoryConvexDeployKeyWriteNames(system),
6897
+ notes: "Only if that repository deploy/test workflow owns this software system."
6898
+ }
6899
+ ],
6900
+ description: `${system.tenantKey}/${system.workspaceKey} Convex deploy/admin key. Never route to sibling workspaces.`
6901
+ }
6902
+ ]);
5054
6903
  z.object({
5055
6904
  manifestVersion: z.literal("1.0.0"),
5056
6905
  rules: z.array(
@@ -5091,7 +6940,7 @@ var createEvidenceInputSchemaBase = z.object({
5091
6940
  targetId: z.string().optional(),
5092
6941
  targetNodeId: z.string().optional(),
5093
6942
  linkedBeliefNodeId: z.string().optional(),
5094
- evidenceRelation: z.enum(["supports", "contradicts", "neutral"]).optional(),
6943
+ evidenceRelation: z.enum(["supports", "contradicts"]).optional(),
5095
6944
  confidence: z.number().optional(),
5096
6945
  weight: z.number().optional(),
5097
6946
  reasoning: z.string().optional(),
@@ -5176,8 +7025,7 @@ var createEvidenceProjection = defineProjection({
5176
7025
  evidenceRelation: v.optional(
5177
7026
  v.union(
5178
7027
  v.literal("supports"),
5179
- v.literal("contradicts"),
5180
- v.literal("neutral")
7028
+ v.literal("contradicts")
5181
7029
  )
5182
7030
  ),
5183
7031
  confidence: v.optional(v.number()),
@@ -5202,7 +7050,7 @@ function compactRecord2(input) {
5202
7050
  Object.entries(input).filter(([, value]) => value !== void 0)
5203
7051
  );
5204
7052
  }
5205
- var listBeliefsProjection = defineProjection({
7053
+ defineProjection({
5206
7054
  contractName: "list_beliefs",
5207
7055
  inputSchema: listBeliefsInputSchema,
5208
7056
  project: (input) => compactRecord2({
@@ -5226,12 +7074,17 @@ var listBeliefsProjection = defineProjection({
5226
7074
  });
5227
7075
  var taskStatusSchema = z.enum(["todo", "in_progress", "blocked", "done"]).optional().describe("Filter by task status");
5228
7076
  var listTasksInputSchema = z.object({
5229
- topicId: z.string().describe("Topic scope"),
7077
+ topicId: z.string().optional().describe("Topic scope"),
5230
7078
  worktreeId: z.string().optional().describe("Alias for linkedWorktreeId"),
5231
7079
  linkedWorktreeId: z.string().optional().describe("Filter to tasks linked to this worktree"),
5232
7080
  status: taskStatusSchema,
5233
7081
  limit: z.number().optional().describe("Maximum results")
5234
- });
7082
+ }).refine(
7083
+ (input) => Boolean(input.topicId || input.worktreeId || input.linkedWorktreeId),
7084
+ {
7085
+ message: "topicId or worktreeId is required"
7086
+ }
7087
+ );
5235
7088
  function compactRecord3(input) {
5236
7089
  return Object.fromEntries(
5237
7090
  Object.entries(input).filter(([, value]) => value !== void 0)
@@ -5248,7 +7101,7 @@ var listTasksProjection = defineProjection({
5248
7101
  linkedWorktreeId: input.linkedWorktreeId ?? input.worktreeId
5249
7102
  }),
5250
7103
  convexArgsValidator: v.object({
5251
- topicId: v.string(),
7104
+ topicId: v.optional(v.string()),
5252
7105
  status: v.optional(
5253
7106
  v.union(
5254
7107
  v.literal("todo"),
@@ -6226,19 +8079,23 @@ var FIND_CONTRADICTIONS = {
6226
8079
  };
6227
8080
  var CREATE_EDGE = {
6228
8081
  name: "create_edge",
6229
- description: "Commit a typed relationship between two nodes in the reasoning graph. Like `git commit` \u2014 an atomic write that declares a dependency between nodes. The engine enforces layer transition rules \u2014 for example, L1 \u2192 L3 direct edges are forbidden (must go through L2).",
8082
+ description: "Commit a typed relationship between two nodes in the reasoning graph. Like `git commit` \u2014 an atomic write that declares a dependency between nodes. Accepts any public epistemic edge type between public graph node refs so agents can author the full spine.",
6230
8083
  parameters: {
6231
- sourceId: {
6232
- type: "string",
6233
- description: "Source node of the relationship"
8084
+ from: {
8085
+ type: "object",
8086
+ description: "Source graph ref, e.g. { kind: 'epistemic_node', nodeId: '...', nodeType: 'topic' }"
6234
8087
  },
6235
- targetId: {
6236
- type: "string",
6237
- description: "Target node of the relationship"
8088
+ to: {
8089
+ type: "object",
8090
+ description: "Target graph ref, e.g. { kind: 'epistemic_node', nodeId: '...', nodeType: 'belief' }"
6238
8091
  },
6239
8092
  edgeType: {
6240
8093
  type: "string",
6241
- description: "Relationship type (informs, tests, depends_on, supersedes, etc.)"
8094
+ description: "Relationship type from the public epistemic edge enum."
8095
+ },
8096
+ globalId: {
8097
+ type: "string",
8098
+ description: "Optional idempotent edge global ID."
6242
8099
  },
6243
8100
  weight: {
6244
8101
  type: "number",
@@ -6248,10 +8105,14 @@ var CREATE_EDGE = {
6248
8105
  reasoningMethod: {
6249
8106
  type: "string",
6250
8107
  description: "How this was determined",
6251
- enum: ["deductive", "inductive", "abductive", "analogical", "empirical"]
8108
+ enum: [...REASONING_METHODS]
8109
+ },
8110
+ metadata: {
8111
+ type: "object",
8112
+ description: "Optional edge metadata."
6252
8113
  }
6253
8114
  },
6254
- required: ["sourceId", "targetId", "edgeType"],
8115
+ required: ["from", "to", "edgeType"],
6255
8116
  response: {
6256
8117
  description: "The created edge",
6257
8118
  fields: {
@@ -6265,6 +8126,240 @@ var CREATE_EDGE = {
6265
8126
  ontologyPrimitive: "edge",
6266
8127
  tier: "showcase"
6267
8128
  };
8129
+ var UPDATE_EDGE = {
8130
+ name: "update_edge",
8131
+ description: "Amend metadata on an existing graph edge. Like `git commit --amend` \u2014 changes the edge annotation without recreating the relationship.",
8132
+ parameters: {
8133
+ edgeId: { type: "string", description: "Edge ID or global ID to update" },
8134
+ weight: { type: "number", description: "Updated edge weight" },
8135
+ confidence: { type: "number", description: "Updated confidence" },
8136
+ context: { type: "string", description: "Updated human-readable context" },
8137
+ derivationType: { type: "string", description: "Updated derivation type" },
8138
+ metadata: { type: "object", description: "Updated metadata" }
8139
+ },
8140
+ required: ["edgeId"],
8141
+ response: {
8142
+ description: "Edge update result",
8143
+ fields: { success: "boolean" }
8144
+ },
8145
+ ownerModule: "graph-primitives",
8146
+ ontologyPrimitive: "edge",
8147
+ tier: "workhorse"
8148
+ };
8149
+ var REMOVE_EDGE = {
8150
+ name: "remove_edge",
8151
+ description: "Remove one graph edge by ID. Like `git rm` \u2014 deletes a single explicit relationship from the spine.",
8152
+ parameters: {
8153
+ edgeId: { type: "string", description: "Edge ID or global ID to remove" }
8154
+ },
8155
+ required: ["edgeId"],
8156
+ response: {
8157
+ description: "Edge removal result",
8158
+ fields: { success: "boolean" }
8159
+ },
8160
+ ownerModule: "graph-primitives",
8161
+ ontologyPrimitive: "edge",
8162
+ tier: "workhorse"
8163
+ };
8164
+ var REMOVE_EDGES_BETWEEN = {
8165
+ name: "remove_edges_between",
8166
+ description: "Remove graph edges between two nodes. Like `git rm <pathspec>` \u2014 deletes relationships matching a source, target, and optional type.",
8167
+ parameters: {
8168
+ fromNodeId: { type: "string", description: "Source node ID or global ID" },
8169
+ toNodeId: { type: "string", description: "Target node ID or global ID" },
8170
+ edgeType: { type: "string", description: "Optional edge type filter" }
8171
+ },
8172
+ required: ["fromNodeId", "toNodeId"],
8173
+ response: {
8174
+ description: "Matched edge removal result",
8175
+ fields: { deleted: "number" }
8176
+ },
8177
+ ownerModule: "graph-primitives",
8178
+ ontologyPrimitive: "edge",
8179
+ tier: "workhorse"
8180
+ };
8181
+ var BATCH_CREATE_EDGES = {
8182
+ name: "batch_create_edges",
8183
+ description: "Commit multiple typed graph edges. Like `git commit` with many staged paths \u2014 writes a batch of explicit relationships atomically per edge.",
8184
+ parameters: {
8185
+ edges: {
8186
+ type: "array",
8187
+ description: "Edges to create, each with from, to, edgeType, and optional weight/confidence/context."
8188
+ },
8189
+ skipLayerValidation: {
8190
+ type: "boolean",
8191
+ description: "Skip kernel layer validation for trusted materialization flows."
8192
+ }
8193
+ },
8194
+ required: ["edges"],
8195
+ response: {
8196
+ description: "Batch edge creation result",
8197
+ fields: {
8198
+ created: "number",
8199
+ results: "array",
8200
+ errors: "array"
8201
+ }
8202
+ },
8203
+ ownerModule: "graph-primitives",
8204
+ ontologyPrimitive: "edge",
8205
+ tier: "workhorse"
8206
+ };
8207
+ var CREATE_EPISTEMIC_NODE = {
8208
+ name: "create_epistemic_node",
8209
+ description: "Commit a generic epistemic graph node. Like `git commit` \u2014 creates a canonical node in the public spine for topics, beliefs, evidence, questions, answers, sources, and entities.",
8210
+ parameters: {
8211
+ globalId: { type: "string", description: "Optional idempotent node global ID" },
8212
+ nodeType: { type: "string", description: "Public epistemic node type" },
8213
+ canonicalText: { type: "string", description: "Canonical node text" },
8214
+ text: { type: "string", description: "Alias for canonicalText" },
8215
+ contentHash: { type: "string", description: "Optional idempotency content hash" },
8216
+ sourceType: { type: "string", description: "Source type for provenance" },
8217
+ topicId: { type: "string", description: "Optional topic scope" },
8218
+ content: { type: "string", description: "Extended content" },
8219
+ title: { type: "string", description: "Display title" },
8220
+ metadata: { type: "object", description: "Optional node metadata" }
8221
+ },
8222
+ required: ["nodeType"],
8223
+ response: {
8224
+ description: "Created node result",
8225
+ fields: {
8226
+ nodeId: "string",
8227
+ nodeGlobalId: "string",
8228
+ isDuplicate: "boolean"
8229
+ }
8230
+ },
8231
+ ownerModule: "reasoning-kernel",
8232
+ ontologyPrimitive: "graph",
8233
+ tier: "showcase"
8234
+ };
8235
+ var GET_EPISTEMIC_NODE = {
8236
+ name: "get_epistemic_node",
8237
+ description: "Read one epistemic graph node. Like `git show` \u2014 resolves a canonical spine node by ID or global ID.",
8238
+ parameters: {
8239
+ nodeId: { type: "string", description: "Node ID or global ID" }
8240
+ },
8241
+ required: ["nodeId"],
8242
+ response: {
8243
+ description: "The resolved node",
8244
+ fields: { node: "object" }
8245
+ },
8246
+ ownerModule: "reasoning-kernel",
8247
+ ontologyPrimitive: "graph",
8248
+ tier: "workhorse"
8249
+ };
8250
+ var LIST_EPISTEMIC_NODES = {
8251
+ name: "list_epistemic_nodes",
8252
+ description: "List epistemic graph nodes. Like `git ls-tree` \u2014 lists canonical spine nodes by topic, type, status, or search query.",
8253
+ parameters: {
8254
+ topicId: { type: "string", description: "Optional topic scope" },
8255
+ nodeType: { type: "string", description: "Optional node type filter" },
8256
+ status: { type: "string", description: "Optional lifecycle status" },
8257
+ searchQuery: { type: "string", description: "Optional text search query" },
8258
+ limit: { type: "number", description: "Maximum nodes to return" }
8259
+ },
8260
+ required: [],
8261
+ response: {
8262
+ description: "Matching nodes",
8263
+ fields: { nodes: "array" }
8264
+ },
8265
+ ownerModule: "reasoning-kernel",
8266
+ ontologyPrimitive: "graph",
8267
+ tier: "workhorse"
8268
+ };
8269
+ var UPDATE_EPISTEMIC_NODE = {
8270
+ name: "update_epistemic_node",
8271
+ description: "Amend an epistemic graph node. Like `git commit --amend` \u2014 updates mutable node metadata, text, status, or verification fields.",
8272
+ parameters: {
8273
+ nodeId: { type: "string", description: "Node ID or global ID" },
8274
+ canonicalText: { type: "string", description: "Updated canonical text" },
8275
+ text: { type: "string", description: "Alias for canonicalText" },
8276
+ contentHash: { type: "string", description: "Updated content hash" },
8277
+ content: { type: "string", description: "Updated content" },
8278
+ title: { type: "string", description: "Updated display title" },
8279
+ metadata: { type: "object", description: "Updated metadata" },
8280
+ confidence: { type: "number", description: "Updated confidence" },
8281
+ verificationStatus: { type: "string", description: "Updated verification status" },
8282
+ status: { type: "string", description: "Updated lifecycle status" }
8283
+ },
8284
+ required: ["nodeId"],
8285
+ response: {
8286
+ description: "Node update result",
8287
+ fields: { success: "boolean" }
8288
+ },
8289
+ ownerModule: "reasoning-kernel",
8290
+ ontologyPrimitive: "graph",
8291
+ tier: "workhorse"
8292
+ };
8293
+ var ARCHIVE_EPISTEMIC_NODE = {
8294
+ name: "archive_epistemic_node",
8295
+ description: "Archive an epistemic graph node. Like `git rm --cached` \u2014 removes a node from active traversal without hard-deleting it.",
8296
+ parameters: {
8297
+ nodeId: { type: "string", description: "Node ID or global ID" }
8298
+ },
8299
+ required: ["nodeId"],
8300
+ response: {
8301
+ description: "Archive result",
8302
+ fields: { success: "boolean", effectiveStatus: "string" }
8303
+ },
8304
+ ownerModule: "reasoning-kernel",
8305
+ ontologyPrimitive: "graph",
8306
+ tier: "workhorse"
8307
+ };
8308
+ var VERIFY_EPISTEMIC_NODE = {
8309
+ name: "verify_epistemic_node",
8310
+ description: "Record verification state on an epistemic graph node. Like `git tag` \u2014 marks the node with a reviewed verification state.",
8311
+ parameters: {
8312
+ nodeId: { type: "string", description: "Node ID or global ID" },
8313
+ verificationStatus: { type: "string", description: "Verification status" },
8314
+ confidence: { type: "number", description: "Optional confidence update" }
8315
+ },
8316
+ required: ["nodeId", "verificationStatus"],
8317
+ response: {
8318
+ description: "Verification result",
8319
+ fields: { success: "boolean" }
8320
+ },
8321
+ ownerModule: "reasoning-kernel",
8322
+ ontologyPrimitive: "graph",
8323
+ tier: "workhorse"
8324
+ };
8325
+ var SUPERSEDE_EPISTEMIC_NODE = {
8326
+ name: "supersede_epistemic_node",
8327
+ description: "Supersede an epistemic graph node with a new version. Like `git commit --amend` on an immutable history branch \u2014 creates the replacement and marks the old node superseded.",
8328
+ parameters: {
8329
+ oldNodeId: { type: "string", description: "Node ID or global ID to supersede" },
8330
+ newGlobalId: { type: "string", description: "Optional replacement global ID" },
8331
+ newCanonicalText: { type: "string", description: "Replacement canonical text" },
8332
+ text: { type: "string", description: "Alias for newCanonicalText" },
8333
+ newContentHash: { type: "string", description: "Optional replacement content hash" },
8334
+ reason: { type: "string", description: "Reason for superseding" }
8335
+ },
8336
+ required: ["oldNodeId"],
8337
+ response: {
8338
+ description: "Supersede result",
8339
+ fields: { oldNodeId: "string", newNodeId: "string" }
8340
+ },
8341
+ ownerModule: "reasoning-kernel",
8342
+ ontologyPrimitive: "graph",
8343
+ tier: "workhorse"
8344
+ };
8345
+ var BATCH_CREATE_EPISTEMIC_NODES = {
8346
+ name: "batch_create_epistemic_nodes",
8347
+ description: "Commit multiple epistemic graph nodes. Like `git commit` with many staged files \u2014 writes a batch of canonical spine nodes.",
8348
+ parameters: {
8349
+ nodes: {
8350
+ type: "array",
8351
+ description: "Nodes to create with nodeType, canonicalText/text, and optional metadata."
8352
+ }
8353
+ },
8354
+ required: ["nodes"],
8355
+ response: {
8356
+ description: "Batch node creation result",
8357
+ fields: { created: "number", results: "array" }
8358
+ },
8359
+ ownerModule: "reasoning-kernel",
8360
+ ontologyPrimitive: "graph",
8361
+ tier: "workhorse"
8362
+ };
6268
8363
  var RECORD_JUDGMENT = {
6269
8364
  name: "record_judgment",
6270
8365
  description: "Record a judgment \u2014 an irreversible commitment based on the current epistemic state. Like a `git tag` marking a release. A judgment synthesizes beliefs, evidence, and uncertainties into a determination. Once issued, a judgment is evaluated against the epistemic state that existed when it was made (knowledge horizon evaluation, Invariant #10).",
@@ -7464,8 +9559,8 @@ var IDENTITY_WHOAMI = {
7464
9559
  response: {
7465
9560
  description: "Canonical identity summary for the current session",
7466
9561
  fields: {
7467
- principalId: "string \u2014 canonical federated principal identifier",
7468
- principalType: "string \u2014 human, service, or agent",
9562
+ principalId: "string \u2014 canonical principal identifier; for humans this is the Clerk user_... ID",
9563
+ principalType: "string \u2014 human, service, agent, group, or external_viewer",
7469
9564
  tenantId: "string | undefined \u2014 resolved tenant scope",
7470
9565
  workspaceId: "string | undefined \u2014 resolved workspace scope",
7471
9566
  scopes: "string[] | undefined \u2014 granted scopes for this session",
@@ -7476,6 +9571,49 @@ var IDENTITY_WHOAMI = {
7476
9571
  ontologyPrimitive: "identity",
7477
9572
  tier: "workhorse"
7478
9573
  };
9574
+ var RESOLVE_INTERACTIVE_PRINCIPAL = {
9575
+ name: "resolve_interactive_principal",
9576
+ description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the Clerk subject into tenant/workspace authorization context.",
9577
+ parameters: {
9578
+ clerkId: {
9579
+ type: "string",
9580
+ description: "Authenticated Clerk subject (`sub`). Clerk proves identity only; it is not the authorization record."
9581
+ },
9582
+ tenantId: {
9583
+ type: "string",
9584
+ description: "Optional tenant scope. Omit only when the Clerk alias is globally unambiguous."
9585
+ },
9586
+ workspaceId: {
9587
+ type: "string",
9588
+ description: "Optional workspace scope. Required when the principal has access to multiple workspaces and no default can be inferred."
9589
+ },
9590
+ providerProjectId: {
9591
+ type: "string",
9592
+ description: "Optional Clerk project or provider instance id for tenants with multiple identity providers."
9593
+ }
9594
+ },
9595
+ required: ["clerkId"],
9596
+ response: {
9597
+ description: "Permit-backed Lucern principal context for tenant SDK bootstrap",
9598
+ fields: {
9599
+ principalId: "string \u2014 canonical Clerk user_... ID for human sessions",
9600
+ principalType: "string \u2014 human, service, agent, group, or external_viewer",
9601
+ clerkId: "string \u2014 authenticated Clerk subject alias",
9602
+ tenantId: "string \u2014 resolved tenant scope",
9603
+ workspaceId: "string | null \u2014 resolved workspace scope",
9604
+ roles: "string[] \u2014 effective Permit roles",
9605
+ scopes: "string[] \u2014 effective scopes derived from Permit/control-plane projection",
9606
+ groupIds: "string[] \u2014 active Permit group memberships",
9607
+ principalStatus: "string \u2014 active, invited, suspended, disabled, revoked, or missing",
9608
+ tenantStatus: "string \u2014 projected tenant resource status",
9609
+ workspaceStatus: "string \u2014 projected workspace resource status",
9610
+ permit: "object \u2014 Permit subject, tenant, and optional workspace tuple"
9611
+ }
9612
+ },
9613
+ ownerModule: "control-plane",
9614
+ ontologyPrimitive: "identity",
9615
+ tier: "workhorse"
9616
+ };
7479
9617
  var COMPILE_CONTEXT = {
7480
9618
  name: "compile_context",
7481
9619
  description: "Compile a focused reasoning context. If topicId is omitted, Lucern resolves the best topic from the query. Like `git log --graph --decorate` for the reasoning substrate \u2014 returns the canonical Pillar 3 context pack through the public API shape.",
@@ -7737,6 +9875,10 @@ var CREATE_TASK = {
7737
9875
  tags: {
7738
9876
  type: "array",
7739
9877
  description: "Free-form string tags"
9878
+ },
9879
+ metadata: {
9880
+ type: "object",
9881
+ description: "Structured task metadata for handoff context and routing hints"
7740
9882
  }
7741
9883
  },
7742
9884
  required: ["title"],
@@ -7810,6 +9952,10 @@ var UPDATE_TASK = {
7810
9952
  type: "string",
7811
9953
  description: "Updated status",
7812
9954
  enum: ["todo", "in_progress", "blocked", "done"]
9955
+ },
9956
+ metadata: {
9957
+ type: "object",
9958
+ description: "Structured task metadata to replace or refine"
7813
9959
  }
7814
9960
  },
7815
9961
  required: ["taskId"],
@@ -7857,6 +10003,10 @@ var CREATE_TOPIC = {
7857
10003
  name: "create_topic",
7858
10004
  description: "Create a new topic container for scoping knowledge. Like `git init` \u2014 initializes a new repository for a knowledge domain. Topics are hierarchical: a deal topic can nest under a theme topic. Types: domain, theme, deal, strategy, constitution, project, portfolio.",
7859
10005
  parameters: {
10006
+ globalId: {
10007
+ type: "string",
10008
+ description: "Optional idempotent topic global ID"
10009
+ },
7860
10010
  name: { type: "string", description: "Topic name" },
7861
10011
  type: {
7862
10012
  type: "string",
@@ -7867,6 +10017,18 @@ var CREATE_TOPIC = {
7867
10017
  type: "string",
7868
10018
  description: "Optional parent topic for nesting"
7869
10019
  },
10020
+ parentTopicGlobalId: {
10021
+ type: "string",
10022
+ description: "Optional parent topic global ID for nesting"
10023
+ },
10024
+ tenantId: { type: "string", description: "Optional tenant scope" },
10025
+ workspaceId: { type: "string", description: "Optional workspace scope" },
10026
+ visibility: {
10027
+ type: "string",
10028
+ description: "Topic visibility",
10029
+ enum: ["private", "team", "firm", "external", "public"]
10030
+ },
10031
+ metadata: { type: "object", description: "Optional topic metadata" },
7870
10032
  createdBy: { type: "string", description: "Who created this topic" }
7871
10033
  },
7872
10034
  required: ["name", "type"],
@@ -7875,6 +10037,9 @@ var CREATE_TOPIC = {
7875
10037
  fields: {
7876
10038
  id: "string \u2014 topic ID",
7877
10039
  globalId: "string \u2014 globally unique ID",
10040
+ topicGlobalId: "string \u2014 topic global ID",
10041
+ epistemicNodeId: "string \u2014 materialized topic node ID",
10042
+ epistemicNodeGlobalId: "string \u2014 materialized topic node global ID",
7878
10043
  depth: "number \u2014 nesting depth"
7879
10044
  }
7880
10045
  },
@@ -8005,6 +10170,65 @@ var GET_TOPIC_TREE = {
8005
10170
  ontologyPrimitive: "graph",
8006
10171
  tier: "workhorse"
8007
10172
  };
10173
+ var MATERIALIZE_TOPIC_GRAPH = {
10174
+ name: "materialize_topic_graph",
10175
+ description: "Backfill the topic graph spine. Like `git fsck --connectivity-only` with repair enabled \u2014 creates missing topic nodes and parent-child edges idempotently.",
10176
+ parameters: {
10177
+ rootTopicId: {
10178
+ type: "string",
10179
+ description: "Optional root topic for a bounded materialization pass"
10180
+ },
10181
+ dryRun: {
10182
+ type: "boolean",
10183
+ description: "When true, report missing rows without writing them"
10184
+ }
10185
+ },
10186
+ required: [],
10187
+ response: {
10188
+ description: "Topic graph materialization counts",
10189
+ fields: {
10190
+ topicsSeen: "number",
10191
+ nodesCreated: "number",
10192
+ nodesExisting: "number",
10193
+ edgesCreated: "number",
10194
+ edgesExisting: "number",
10195
+ errors: "array"
10196
+ }
10197
+ },
10198
+ ownerModule: "reasoning-kernel",
10199
+ ontologyPrimitive: "graph",
10200
+ tier: "workhorse"
10201
+ };
10202
+ var GET_TOPIC_GRAPH_SPINE = {
10203
+ name: "get_topic_graph_spine",
10204
+ description: "Verify the topic graph spine. Like `git fsck` \u2014 reads topics, materialized topic nodes, parent-child edges, and missing spine rows.",
10205
+ parameters: {
10206
+ rootTopicId: {
10207
+ type: "string",
10208
+ description: "Optional root topic for a bounded verifier pass"
10209
+ },
10210
+ includeTopicBeliefEdges: {
10211
+ type: "boolean",
10212
+ description: "Include topic -> belief edges in the verifier payload"
10213
+ }
10214
+ },
10215
+ required: [],
10216
+ response: {
10217
+ description: "Topic graph spine verification payload",
10218
+ fields: {
10219
+ ok: "boolean",
10220
+ counts: "object",
10221
+ topics: "array",
10222
+ topicNodes: "array",
10223
+ parentEdges: "array",
10224
+ missingTopicNodes: "array",
10225
+ missingParentEdges: "array"
10226
+ }
10227
+ },
10228
+ ownerModule: "reasoning-kernel",
10229
+ ontologyPrimitive: "graph",
10230
+ tier: "workhorse"
10231
+ };
8008
10232
  var GET_CODE_CONTEXT = {
8009
10233
  name: "get_code_context",
8010
10234
  description: "Returns code-grounded beliefs, contracts, migration states, and failed attempts anchored to a specific file or function path. Like `git log -- <path>` \u2014 filters the knowledge graph to nodes anchored to a file path via metadata.codeAnchors. Results are separated by coding belief type: decisions, contracts, migrations, patterns, deprecations, and failures.",
@@ -8200,7 +10424,7 @@ var MANAGE_WRITE_POLICY = {
8200
10424
  },
8201
10425
  role: {
8202
10426
  type: "string",
8203
- description: "Role to set policy for (required for 'set'). E.g. 'agent:internal', 'user:analyst'."
10427
+ description: "Role to set policy for (required for 'set'). E.g. 'agent:internal' or a Permit role key such as 'workspace_admin'."
8204
10428
  },
8205
10429
  permission: {
8206
10430
  type: "string",
@@ -9187,6 +11411,9 @@ var BEGIN_BUILD_SESSION = {
9187
11411
  sessionMode: "string \u2014 async | interactive",
9188
11412
  targetBeliefIds: "array \u2014 scoped belief IDs",
9189
11413
  targetQuestionIds: "array \u2014 scoped question IDs",
11414
+ taskIds: "array \u2014 assigned task IDs for this worktree",
11415
+ incompleteTaskIds: "array \u2014 assigned task IDs that still require done/deferred/blocked proof",
11416
+ tasks: "array \u2014 assigned task packet with id, title, status, priority, links, and summaries",
9190
11417
  topBeliefs: "array \u2014 highest-confidence scoped beliefs",
9191
11418
  openQuestions: "array \u2014 open scoped questions",
9192
11419
  resolvedDecisions: "array \u2014 answered questions summarized for the session",
@@ -9242,6 +11469,19 @@ var MCP_TOOL_CONTRACTS = {
9242
11469
  bisect_confidence: BISECT_CONFIDENCE,
9243
11470
  // Edges (commit)
9244
11471
  create_edge: CREATE_EDGE,
11472
+ update_edge: UPDATE_EDGE,
11473
+ remove_edge: REMOVE_EDGE,
11474
+ remove_edges_between: REMOVE_EDGES_BETWEEN,
11475
+ batch_create_edges: BATCH_CREATE_EDGES,
11476
+ // Epistemic node spine (commit/amend/show)
11477
+ create_epistemic_node: CREATE_EPISTEMIC_NODE,
11478
+ get_epistemic_node: GET_EPISTEMIC_NODE,
11479
+ list_epistemic_nodes: LIST_EPISTEMIC_NODES,
11480
+ update_epistemic_node: UPDATE_EPISTEMIC_NODE,
11481
+ archive_epistemic_node: ARCHIVE_EPISTEMIC_NODE,
11482
+ verify_epistemic_node: VERIFY_EPISTEMIC_NODE,
11483
+ supersede_epistemic_node: SUPERSEDE_EPISTEMIC_NODE,
11484
+ batch_create_epistemic_nodes: BATCH_CREATE_EPISTEMIC_NODES,
9245
11485
  // Judgments (tag)
9246
11486
  record_judgment: RECORD_JUDGMENT,
9247
11487
  // Graph intelligence (showcase)
@@ -9276,6 +11516,7 @@ var MCP_TOOL_CONTRACTS = {
9276
11516
  update_worktree_targets: UPDATE_WORKTREE_TARGETS,
9277
11517
  update_worktree_metadata: UPDATE_WORKTREE_METADATA,
9278
11518
  identity_whoami: IDENTITY_WHOAMI,
11519
+ resolve_interactive_principal: RESOLVE_INTERACTIVE_PRINCIPAL,
9279
11520
  compile_context: COMPILE_CONTEXT,
9280
11521
  record_scope_learning: RECORD_SCOPE_LEARNING,
9281
11522
  pipeline_snapshot: PIPELINE_SNAPSHOT,
@@ -9315,6 +11556,8 @@ var MCP_TOOL_CONTRACTS = {
9315
11556
  get_topic: GET_TOPIC,
9316
11557
  update_topic: UPDATE_TOPIC,
9317
11558
  get_topic_tree: GET_TOPIC_TREE,
11559
+ materialize_topic_graph: MATERIALIZE_TOPIC_GRAPH,
11560
+ get_topic_graph_spine: GET_TOPIC_GRAPH_SPINE,
9318
11561
  // Coding intelligence (code-grounded knowledge)
9319
11562
  get_code_context: GET_CODE_CONTEXT,
9320
11563
  get_change_history: GET_CHANGE_HISTORY,
@@ -9391,6 +11634,7 @@ function entries(names, surfaceClass, surfaceIntent, surfaces, rationale) {
9391
11634
  var MCP_CORE_OPERATION_NAMES = [
9392
11635
  "compile_context",
9393
11636
  "identity_whoami",
11637
+ "resolve_interactive_principal",
9394
11638
  "check_permission",
9395
11639
  "filter_by_permission",
9396
11640
  "create_belief",
@@ -9419,14 +11663,28 @@ var MCP_CORE_OPERATION_NAMES = [
9419
11663
  "find_missing_questions",
9420
11664
  "get_high_priority_questions",
9421
11665
  "get_falsification_questions",
11666
+ "create_epistemic_node",
11667
+ "get_epistemic_node",
11668
+ "list_epistemic_nodes",
11669
+ "update_epistemic_node",
11670
+ "archive_epistemic_node",
11671
+ "verify_epistemic_node",
11672
+ "supersede_epistemic_node",
11673
+ "batch_create_epistemic_nodes",
9422
11674
  "create_topic",
9423
11675
  "get_topic",
9424
11676
  "list_topics",
9425
11677
  "update_topic",
9426
- "get_topic_tree"
11678
+ "get_topic_tree",
11679
+ "materialize_topic_graph",
11680
+ "get_topic_graph_spine"
9427
11681
  ];
9428
11682
  var MCP_ANALYSIS_PLATFORM_OPERATION_NAMES = [
9429
11683
  "create_edge",
11684
+ "update_edge",
11685
+ "remove_edge",
11686
+ "remove_edges_between",
11687
+ "batch_create_edges",
9430
11688
  "query_lineage",
9431
11689
  "traverse_graph",
9432
11690
  "get_graph_neighborhood",
@@ -9758,12 +12016,20 @@ function unwrapMcpParameterSchema(schema) {
9758
12016
  current = current._def.schema;
9759
12017
  continue;
9760
12018
  default:
9761
- return { schema: current, required, description: description ?? current.description };
12019
+ return {
12020
+ schema: current,
12021
+ required,
12022
+ description: description ?? current.description
12023
+ };
9762
12024
  }
9763
12025
  }
9764
12026
  }
9765
12027
  function mcpParameterFromZod(fieldName, schema, contractName) {
9766
- const { schema: unwrapped, required, description: schemaDescription } = unwrapMcpParameterSchema(schema);
12028
+ const {
12029
+ schema: unwrapped,
12030
+ required,
12031
+ description: schemaDescription
12032
+ } = unwrapMcpParameterSchema(schema);
9767
12033
  const description = schemaDescription ?? unwrapped.description ?? fieldName;
9768
12034
  switch (unwrapped._def.typeName) {
9769
12035
  case z.ZodFirstPartyTypeKind.ZodString:
@@ -9808,10 +12074,12 @@ function mcpContractFromArgsSchema(base, args, contractName) {
9808
12074
  const entries2 = Object.entries(getObjectShape(args)).sort(
9809
12075
  ([left], [right]) => left.localeCompare(right)
9810
12076
  );
9811
- const converted = entries2.map(([fieldName, schema]) => [
9812
- fieldName,
9813
- mcpParameterFromZod(fieldName, schema, contractName)
9814
- ]);
12077
+ const converted = entries2.map(
12078
+ ([fieldName, schema]) => [
12079
+ fieldName,
12080
+ mcpParameterFromZod(fieldName, schema, contractName)
12081
+ ]
12082
+ );
9815
12083
  return {
9816
12084
  ...base,
9817
12085
  parameters: Object.fromEntries(
@@ -9920,9 +12188,16 @@ function surfaceContract(args) {
9920
12188
  scopes: args.scopes ?? [
9921
12189
  args.kind === "query" ? `${args.domain}.read` : `${args.domain}.write`
9922
12190
  ],
9923
- allowedPrincipalTypes: ["user", "service", "agent"]
12191
+ allowedPrincipalTypes: [
12192
+ "user",
12193
+ "service",
12194
+ "agent",
12195
+ "group",
12196
+ "external_viewer"
12197
+ ]
9924
12198
  },
9925
12199
  convex: args.convex,
12200
+ gateway: args.gateway,
9926
12201
  args: canonicalArgs,
9927
12202
  returns: canonicalReturns,
9928
12203
  input,
@@ -10061,8 +12336,6 @@ var contextContracts = [
10061
12336
  args: observationContextArgs
10062
12337
  })
10063
12338
  ];
10064
-
10065
- // ../contracts/src/function-registry/identity.ts
10066
12339
  var withPrincipal = (input, context) => ({
10067
12340
  ...input,
10068
12341
  tenantId: input.tenantId ?? context.tenantId,
@@ -10081,11 +12354,30 @@ var identityContracts = [
10081
12354
  sdkNamespace: "identity",
10082
12355
  sdkMethod: "whoami",
10083
12356
  summary: "Describe the current gateway principal.",
12357
+ gateway: {
12358
+ handler: "identity.whoami"
12359
+ }
12360
+ }),
12361
+ surfaceContract({
12362
+ name: "resolve_interactive_principal",
12363
+ kind: "query",
12364
+ domain: "controlPlane",
12365
+ surfaceClass: "platform_public",
12366
+ method: "POST",
12367
+ path: "/control-plane/identity/resolve-interactive-principal",
12368
+ sdkNamespace: "controlPlane.identity",
12369
+ sdkMethod: "resolveInteractivePrincipal",
12370
+ summary: "Resolve an authenticated Clerk user into a Permit-backed Lucern principal context.",
12371
+ args: z.object({
12372
+ clerkId: z.string().min(1),
12373
+ tenantId: z.string().min(1).optional(),
12374
+ workspaceId: z.string().min(1).optional(),
12375
+ providerProjectId: z.string().min(1).optional()
12376
+ }),
10084
12377
  convex: {
10085
- module: "identity",
10086
- functionName: "whoami",
10087
- kind: "query",
10088
- inputProjection: withPrincipal
12378
+ module: "platform",
12379
+ functionName: "resolveInteractivePrincipal",
12380
+ kind: "query"
10089
12381
  }
10090
12382
  }),
10091
12383
  surfaceContract({
@@ -10167,15 +12459,6 @@ var beliefLookupInput = (input) => compactRecord4({
10167
12459
  var beliefNodeInput = (input) => compactRecord4({
10168
12460
  nodeId: input.nodeId ?? input.id ?? input.beliefId
10169
12461
  });
10170
- var beliefTopicInput = (input) => {
10171
- const parsed = listBeliefsProjection.inputSchema.safeParse(input);
10172
- if (!parsed.success) {
10173
- throw new Error(
10174
- `list_beliefs projection input rejected: ${parsed.error.message}`
10175
- );
10176
- }
10177
- return compactRecord4(listBeliefsProjection.project(parsed.data));
10178
- };
10179
12462
  var createBeliefInput = (input, context) => {
10180
12463
  return withUserId(
10181
12464
  compactRecord4({
@@ -10264,11 +12547,8 @@ var beliefsContracts = [
10264
12547
  sdkNamespace: "beliefs",
10265
12548
  sdkMethod: "listBeliefs",
10266
12549
  summary: "List beliefs for a topic.",
10267
- convex: {
10268
- module: "beliefs",
10269
- functionName: "getByTopic",
10270
- kind: "query",
10271
- inputProjection: beliefTopicInput
12550
+ gateway: {
12551
+ handler: "beliefs.list"
10272
12552
  },
10273
12553
  args: listBeliefsInputSchema
10274
12554
  }),
@@ -10409,7 +12689,7 @@ var beliefsContracts = [
10409
12689
  })
10410
12690
  ];
10411
12691
  var jsonRecordSchema4 = z.record(z.unknown());
10412
- var evidenceRelationSchema = z.enum(["supports", "contradicts", "neutral"]);
12692
+ var evidenceRelationSchema = z.enum(["supports", "contradicts"]);
10413
12693
  var createEvidenceArgs = z.object({
10414
12694
  topicId: z.string().optional().describe("Topic scope for the evidence."),
10415
12695
  text: z.string().describe("Canonical evidence text."),
@@ -10453,12 +12733,6 @@ var evidenceIdInput = (input) => compactRecord4({
10453
12733
  insightId: input.insightId,
10454
12734
  nodeId: input.nodeId ?? input.id ?? input.evidenceId
10455
12735
  });
10456
- var evidenceTopicInput = (input) => compactRecord4({
10457
- topicId: input.topicId,
10458
- status: input.status,
10459
- userId: input.userId,
10460
- limit: input.limit
10461
- });
10462
12736
  var createEvidenceInput = (input, context) => {
10463
12737
  const parsed = createEvidenceProjection.inputSchema.safeParse(input);
10464
12738
  if (!parsed.success) {
@@ -10589,11 +12863,8 @@ var evidenceContracts = [
10589
12863
  sdkNamespace: "evidence",
10590
12864
  sdkMethod: "listEvidence",
10591
12865
  summary: "List evidence for a topic.",
10592
- convex: {
10593
- module: "evidence",
10594
- functionName: "getByTopic",
10595
- kind: "query",
10596
- inputProjection: evidenceTopicInput
12866
+ gateway: {
12867
+ handler: "evidence.list"
10597
12868
  }
10598
12869
  }),
10599
12870
  surfaceContract({
@@ -10828,11 +13099,8 @@ var questionsContracts = [
10828
13099
  sdkNamespace: "questions",
10829
13100
  sdkMethod: "listQuestions",
10830
13101
  summary: "List questions for a topic.",
10831
- convex: {
10832
- module: "questions",
10833
- functionName: "getByTopic",
10834
- kind: "query",
10835
- inputProjection: questionTopicInput
13102
+ gateway: {
13103
+ handler: "questions.list"
10836
13104
  }
10837
13105
  }),
10838
13106
  surfaceContract({
@@ -11035,18 +13303,50 @@ var questionsContracts = [
11035
13303
  args: falsificationQuestionsArgs
11036
13304
  })
11037
13305
  ];
13306
+ var topicVisibilitySchema = z.enum([
13307
+ "private",
13308
+ "team",
13309
+ "firm",
13310
+ "external",
13311
+ "public"
13312
+ ]);
13313
+ var topicStatusSchema = z.enum(["active", "archived", "watching"]);
13314
+ var createTopicArgs = z.object({
13315
+ globalId: z.string().optional().describe("Optional idempotent topic global ID."),
13316
+ name: z.string().describe("Topic name."),
13317
+ description: z.string().optional().describe("Topic description."),
13318
+ type: z.string().describe("Topic type."),
13319
+ parentTopicId: z.string().optional().describe("Optional parent topic ID."),
13320
+ parentTopicGlobalId: z.string().optional().describe("Optional parent topic global ID."),
13321
+ ontologyId: z.string().optional().describe("Ontology to bind."),
13322
+ tenantId: z.string().optional().describe("Optional tenant scope."),
13323
+ workspaceId: z.string().optional().describe("Optional workspace scope."),
13324
+ visibility: topicVisibilitySchema.optional().describe("Topic visibility."),
13325
+ metadata: z.record(z.unknown()).optional().describe("Topic metadata."),
13326
+ graphScopeProjectId: z.string().optional(),
13327
+ createdBy: z.string().optional()
13328
+ });
11038
13329
  var updateTopicArgs = z.object({
11039
13330
  id: z.string().describe("Topic ID."),
11040
13331
  topicId: z.string().optional().describe("Topic ID alias."),
11041
13332
  name: z.string().optional().describe("Topic name."),
11042
13333
  description: z.string().optional().describe("Topic description."),
11043
13334
  type: z.string().optional().describe("Topic type."),
11044
- status: z.string().optional().describe("Topic status."),
11045
- visibility: z.string().optional().describe("Topic visibility."),
13335
+ status: topicStatusSchema.optional().describe("Topic status."),
13336
+ visibility: topicVisibilitySchema.optional().describe("Topic visibility."),
11046
13337
  ontologyId: z.string().optional().describe("Ontology to bind."),
11047
13338
  clearOntologyId: z.boolean().optional().describe("Whether to clear the ontology binding."),
11048
13339
  metadata: z.record(z.unknown()).optional().describe("Topic metadata.")
11049
13340
  });
13341
+ var materializeTopicGraphArgs = z.object({
13342
+ rootTopicId: z.string().optional().describe("Optional root topic ID."),
13343
+ dryRun: z.boolean().optional().describe("Report missing rows without writing."),
13344
+ createdBy: z.string().optional()
13345
+ });
13346
+ var getTopicGraphSpineArgs = z.object({
13347
+ rootTopicId: z.string().optional().describe("Optional root topic ID."),
13348
+ includeTopicBeliefEdges: z.boolean().optional()
13349
+ });
11050
13350
  var topicIdInput = (input) => compactRecord4({
11051
13351
  id: input.id ?? input.topicId
11052
13352
  });
@@ -11064,87 +13364,488 @@ var updateTopicInput = (input) => compactRecord4({
11064
13364
  });
11065
13365
  var topicsContracts = [
11066
13366
  surfaceContract({
11067
- name: "create_topic",
13367
+ name: "create_topic",
13368
+ kind: "mutation",
13369
+ domain: "topics",
13370
+ surfaceClass: "platform_public",
13371
+ path: "/topics",
13372
+ sdkNamespace: "topics",
13373
+ sdkMethod: "createTopic",
13374
+ summary: "Create a topic.",
13375
+ convex: {
13376
+ module: "topics",
13377
+ functionName: "create",
13378
+ kind: "mutation",
13379
+ inputProjection: withCreatedBy
13380
+ },
13381
+ args: createTopicArgs
13382
+ }),
13383
+ surfaceContract({
13384
+ name: "get_topic",
13385
+ kind: "query",
13386
+ domain: "topics",
13387
+ surfaceClass: "platform_public",
13388
+ method: "GET",
13389
+ path: "/topics/get",
13390
+ sdkNamespace: "topics",
13391
+ sdkMethod: "getTopic",
13392
+ summary: "Get a topic.",
13393
+ convex: {
13394
+ module: "topics",
13395
+ functionName: "get",
13396
+ kind: "query",
13397
+ inputProjection: topicIdInput
13398
+ }
13399
+ }),
13400
+ surfaceContract({
13401
+ name: "list_topics",
13402
+ kind: "query",
13403
+ domain: "topics",
13404
+ surfaceClass: "platform_public",
13405
+ method: "GET",
13406
+ path: "/topics",
13407
+ sdkNamespace: "topics",
13408
+ sdkMethod: "listTopics",
13409
+ summary: "List topics.",
13410
+ convex: {
13411
+ module: "topics",
13412
+ functionName: "list",
13413
+ kind: "query"
13414
+ }
13415
+ }),
13416
+ surfaceContract({
13417
+ name: "update_topic",
13418
+ kind: "mutation",
13419
+ domain: "topics",
13420
+ surfaceClass: "platform_public",
13421
+ method: "PATCH",
13422
+ path: "/topics",
13423
+ sdkNamespace: "topics",
13424
+ sdkMethod: "updateTopic",
13425
+ summary: "Update a topic.",
13426
+ convex: {
13427
+ module: "topics",
13428
+ functionName: "update",
13429
+ kind: "mutation",
13430
+ inputProjection: updateTopicInput
13431
+ },
13432
+ args: updateTopicArgs
13433
+ }),
13434
+ surfaceContract({
13435
+ name: "get_topic_tree",
13436
+ kind: "query",
13437
+ domain: "topics",
13438
+ surfaceClass: "platform_public",
13439
+ method: "GET",
13440
+ path: "/topics/tree",
13441
+ sdkNamespace: "topics",
13442
+ sdkMethod: "getTopicTree",
13443
+ summary: "Get a topic tree.",
13444
+ convex: {
13445
+ module: "topics",
13446
+ functionName: "getTree",
13447
+ kind: "query"
13448
+ }
13449
+ }),
13450
+ surfaceContract({
13451
+ name: "materialize_topic_graph",
13452
+ kind: "mutation",
13453
+ domain: "topics",
13454
+ surfaceClass: "platform_public",
13455
+ path: "/topics/materialize-graph",
13456
+ sdkNamespace: "topics",
13457
+ sdkMethod: "materializeTopicGraph",
13458
+ summary: "Materialize topic nodes and parent-child graph edges.",
13459
+ convex: {
13460
+ module: "topics",
13461
+ functionName: "materializeTopicGraph",
13462
+ kind: "mutation",
13463
+ inputProjection: withCreatedBy
13464
+ },
13465
+ args: materializeTopicGraphArgs
13466
+ }),
13467
+ surfaceContract({
13468
+ name: "get_topic_graph_spine",
13469
+ kind: "query",
13470
+ domain: "topics",
13471
+ surfaceClass: "platform_public",
13472
+ method: "GET",
13473
+ path: "/topics/graph-spine",
13474
+ sdkNamespace: "topics",
13475
+ sdkMethod: "getTopicGraphSpine",
13476
+ summary: "Verify topic nodes and parent-child graph edges.",
13477
+ convex: {
13478
+ module: "topics",
13479
+ functionName: "getTopicGraphSpine",
13480
+ kind: "query"
13481
+ },
13482
+ args: getTopicGraphSpineArgs
13483
+ })
13484
+ ];
13485
+ var sourceTypeSchema2 = z.enum([
13486
+ "human",
13487
+ "ai_extracted",
13488
+ "ai_generated",
13489
+ "imported",
13490
+ "system",
13491
+ "verified",
13492
+ "proprietary"
13493
+ ]);
13494
+ var verificationStatusSchema = z.enum([
13495
+ "unverified",
13496
+ "human_verified",
13497
+ "ai_verified",
13498
+ "contradicted",
13499
+ "outdated"
13500
+ ]);
13501
+ var nodeStatusSchema = z.enum([
13502
+ "active",
13503
+ "superseded",
13504
+ "archived",
13505
+ "deleted"
13506
+ ]);
13507
+ var externalIdsArgs = z.object({
13508
+ crunchbase: z.string().optional(),
13509
+ linkedin: z.string().optional(),
13510
+ pitchbook: z.string().optional(),
13511
+ twitter: z.string().optional(),
13512
+ website: z.string().optional()
13513
+ }).optional();
13514
+ var createEpistemicNodeItemArgs = z.object({
13515
+ globalId: z.string().optional().describe("Optional idempotent node global ID."),
13516
+ nodeType: NODE_TYPE.describe("Public epistemic node type."),
13517
+ subtype: z.string().optional(),
13518
+ canonicalText: z.string().optional().describe("Canonical node text."),
13519
+ text: z.string().optional().describe("Alias for canonicalText."),
13520
+ contentHash: z.string().optional().describe("Optional idempotency content hash."),
13521
+ content: z.string().optional(),
13522
+ contentType: z.string().optional(),
13523
+ title: z.string().optional(),
13524
+ tags: z.array(z.string()).optional(),
13525
+ domain: z.string().optional(),
13526
+ metadata: z.record(z.unknown()).optional(),
13527
+ externalIds: externalIdsArgs,
13528
+ sourceType: sourceTypeSchema2.optional(),
13529
+ aiProvider: z.string().optional(),
13530
+ extractedFromNodeId: z.string().optional(),
13531
+ confidence: z.number().optional(),
13532
+ verificationStatus: verificationStatusSchema.optional(),
13533
+ topicId: z.string().optional(),
13534
+ projectId: z.string().optional(),
13535
+ createdBy: z.string().optional(),
13536
+ trustedBypassAccessCheck: z.boolean().optional()
13537
+ });
13538
+ var createEpistemicNodeArgs = createEpistemicNodeItemArgs;
13539
+ var batchCreateEpistemicNodesArgs = z.object({
13540
+ nodes: z.array(createEpistemicNodeItemArgs)
13541
+ });
13542
+ var getEpistemicNodeArgs = z.object({
13543
+ nodeId: z.string().describe("Node ID or global ID."),
13544
+ globalId: z.string().optional().describe("Node global ID alias.")
13545
+ });
13546
+ var listEpistemicNodesArgs = z.object({
13547
+ topicId: z.string().optional(),
13548
+ projectId: z.string().optional(),
13549
+ nodeType: NODE_TYPE.optional(),
13550
+ status: nodeStatusSchema.optional(),
13551
+ searchQuery: z.string().optional(),
13552
+ query: z.string().optional(),
13553
+ limit: z.number().optional()
13554
+ });
13555
+ var updateEpistemicNodeArgs = z.object({
13556
+ nodeId: z.string().describe("Node ID or global ID."),
13557
+ id: z.string().optional().describe("Node ID alias."),
13558
+ subtype: z.string().optional(),
13559
+ canonicalText: z.string().optional(),
13560
+ text: z.string().optional(),
13561
+ contentHash: z.string().optional(),
13562
+ content: z.string().optional(),
13563
+ contentType: z.string().optional(),
13564
+ title: z.string().optional(),
13565
+ tags: z.array(z.string()).optional(),
13566
+ domain: z.string().optional(),
13567
+ metadata: z.record(z.unknown()).optional(),
13568
+ externalIds: externalIdsArgs,
13569
+ confidence: z.number().optional(),
13570
+ verificationStatus: verificationStatusSchema.optional(),
13571
+ status: nodeStatusSchema.optional(),
13572
+ userId: z.string().optional(),
13573
+ trustedBypassAccessCheck: z.boolean().optional()
13574
+ });
13575
+ var archiveEpistemicNodeArgs = z.object({
13576
+ nodeId: z.string().describe("Node ID or global ID."),
13577
+ id: z.string().optional().describe("Node ID alias."),
13578
+ userId: z.string().optional(),
13579
+ trustedBypassAccessCheck: z.boolean().optional()
13580
+ });
13581
+ var verifyEpistemicNodeArgs = z.object({
13582
+ nodeId: z.string().describe("Node ID or global ID."),
13583
+ id: z.string().optional().describe("Node ID alias."),
13584
+ verificationStatus: verificationStatusSchema,
13585
+ confidence: z.number().optional(),
13586
+ userId: z.string().optional()
13587
+ });
13588
+ var supersedeEpistemicNodeArgs = z.object({
13589
+ oldNodeId: z.string().describe("Node ID or global ID to supersede."),
13590
+ nodeId: z.string().optional().describe("Old node ID alias."),
13591
+ newGlobalId: z.string().optional(),
13592
+ newCanonicalText: z.string().optional(),
13593
+ text: z.string().optional(),
13594
+ canonicalText: z.string().optional(),
13595
+ newContentHash: z.string().optional(),
13596
+ reason: z.string().optional(),
13597
+ createdBy: z.string().optional(),
13598
+ trustedBypassAccessCheck: z.boolean().optional()
13599
+ });
13600
+ function generatedGlobalId(prefix) {
13601
+ return `${prefix}:${crypto.randomUUID()}`;
13602
+ }
13603
+ function resolveCanonicalText(input) {
13604
+ const text = input.canonicalText ?? input.text ?? input.title ?? input.content;
13605
+ if (typeof text !== "string" || text.trim().length === 0) {
13606
+ throw new Error("canonicalText or text is required.");
13607
+ }
13608
+ return text;
13609
+ }
13610
+ function createNodeInput(input, context) {
13611
+ const canonicalText = resolveCanonicalText(input);
13612
+ const nodeType = String(input.nodeType);
13613
+ return withCreatedBy(
13614
+ compactRecord4({
13615
+ globalId: typeof input.globalId === "string" && input.globalId.trim() ? input.globalId : generatedGlobalId(nodeType),
13616
+ nodeType,
13617
+ subtype: input.subtype,
13618
+ canonicalText,
13619
+ contentHash: typeof input.contentHash === "string" && input.contentHash.trim() ? input.contentHash : `${nodeType}:${canonicalText}`,
13620
+ content: input.content,
13621
+ contentType: input.contentType,
13622
+ title: input.title,
13623
+ tags: input.tags,
13624
+ domain: input.domain,
13625
+ metadata: input.metadata,
13626
+ externalIds: input.externalIds,
13627
+ sourceType: typeof input.sourceType === "string" && input.sourceType.trim() ? input.sourceType : "human",
13628
+ aiProvider: input.aiProvider,
13629
+ extractedFromNodeId: input.extractedFromNodeId,
13630
+ confidence: input.confidence,
13631
+ verificationStatus: input.verificationStatus,
13632
+ topicId: input.topicId,
13633
+ projectId: input.projectId
13634
+ }),
13635
+ context
13636
+ );
13637
+ }
13638
+ var getNodeInput = (input) => compactRecord4({
13639
+ nodeId: input.nodeId ?? input.globalId
13640
+ });
13641
+ var listNodesInput = (input) => compactRecord4({
13642
+ topicId: input.topicId,
13643
+ projectId: input.projectId,
13644
+ nodeType: input.nodeType,
13645
+ status: input.status,
13646
+ searchQuery: input.searchQuery ?? input.query,
13647
+ limit: input.limit
13648
+ });
13649
+ var updateNodeInput = (input, context) => withUserId(
13650
+ compactRecord4({
13651
+ nodeId: input.nodeId ?? input.id,
13652
+ subtype: input.subtype,
13653
+ canonicalText: input.canonicalText ?? input.text,
13654
+ contentHash: input.contentHash,
13655
+ content: input.content,
13656
+ contentType: input.contentType,
13657
+ title: input.title,
13658
+ tags: input.tags,
13659
+ domain: input.domain,
13660
+ metadata: input.metadata,
13661
+ externalIds: input.externalIds,
13662
+ confidence: input.confidence,
13663
+ verificationStatus: input.verificationStatus,
13664
+ status: input.status,
13665
+ trustedBypassAccessCheck: input.trustedBypassAccessCheck
13666
+ }),
13667
+ context
13668
+ );
13669
+ var archiveNodeInput = (input, context) => withUserId(
13670
+ compactRecord4({
13671
+ nodeId: input.nodeId ?? input.id,
13672
+ trustedBypassAccessCheck: input.trustedBypassAccessCheck
13673
+ }),
13674
+ context
13675
+ );
13676
+ var verifyNodeInput = (input, context) => withUserId(
13677
+ compactRecord4({
13678
+ nodeId: input.nodeId ?? input.id,
13679
+ verificationStatus: input.verificationStatus,
13680
+ confidence: input.confidence
13681
+ }),
13682
+ context
13683
+ );
13684
+ var supersedeNodeInput = (input, context) => {
13685
+ const newCanonicalText = input.newCanonicalText ?? input.canonicalText ?? input.text;
13686
+ if (typeof newCanonicalText !== "string" || newCanonicalText.trim().length === 0) {
13687
+ throw new Error("newCanonicalText or text is required.");
13688
+ }
13689
+ return {
13690
+ oldNodeId: input.oldNodeId ?? input.nodeId,
13691
+ newGlobalId: typeof input.newGlobalId === "string" && input.newGlobalId.trim() ? input.newGlobalId : generatedGlobalId("node"),
13692
+ newCanonicalText,
13693
+ newContentHash: typeof input.newContentHash === "string" && input.newContentHash.trim() ? input.newContentHash : `superseded:${newCanonicalText}`,
13694
+ createdBy: typeof input.createdBy === "string" ? input.createdBy : authUserId(context),
13695
+ reason: input.reason,
13696
+ trustedBypassAccessCheck: input.trustedBypassAccessCheck
13697
+ };
13698
+ };
13699
+ var batchCreateNodesInput = (input, context) => {
13700
+ const nodes = Array.isArray(input.nodes) ? input.nodes : [];
13701
+ return {
13702
+ nodes: nodes.map(
13703
+ (node) => createNodeInput(
13704
+ node && typeof node === "object" ? node : {},
13705
+ context
13706
+ )
13707
+ )
13708
+ };
13709
+ };
13710
+ var nodesContracts = [
13711
+ surfaceContract({
13712
+ name: "create_epistemic_node",
11068
13713
  kind: "mutation",
11069
- domain: "topics",
13714
+ domain: "nodes",
11070
13715
  surfaceClass: "platform_public",
11071
- path: "/topics",
11072
- sdkNamespace: "topics",
11073
- sdkMethod: "createTopic",
11074
- summary: "Create a topic.",
13716
+ path: "/nodes",
13717
+ sdkNamespace: "nodes",
13718
+ sdkMethod: "createEpistemicNode",
13719
+ summary: "Create a generic epistemic graph node.",
11075
13720
  convex: {
11076
- module: "topics",
13721
+ module: "nodes",
11077
13722
  functionName: "create",
11078
13723
  kind: "mutation",
11079
- inputProjection: withCreatedBy
11080
- }
13724
+ inputProjection: createNodeInput
13725
+ },
13726
+ args: createEpistemicNodeArgs
11081
13727
  }),
11082
13728
  surfaceContract({
11083
- name: "get_topic",
13729
+ name: "get_epistemic_node",
11084
13730
  kind: "query",
11085
- domain: "topics",
13731
+ domain: "nodes",
11086
13732
  surfaceClass: "platform_public",
11087
13733
  method: "GET",
11088
- path: "/topics/get",
11089
- sdkNamespace: "topics",
11090
- sdkMethod: "getTopic",
11091
- summary: "Get a topic.",
13734
+ path: "/nodes/get",
13735
+ sdkNamespace: "nodes",
13736
+ sdkMethod: "getEpistemicNode",
13737
+ summary: "Get a generic epistemic graph node.",
11092
13738
  convex: {
11093
- module: "topics",
13739
+ module: "nodes",
11094
13740
  functionName: "get",
11095
13741
  kind: "query",
11096
- inputProjection: topicIdInput
11097
- }
13742
+ inputProjection: getNodeInput
13743
+ },
13744
+ args: getEpistemicNodeArgs
11098
13745
  }),
11099
13746
  surfaceContract({
11100
- name: "list_topics",
13747
+ name: "list_epistemic_nodes",
11101
13748
  kind: "query",
11102
- domain: "topics",
13749
+ domain: "nodes",
11103
13750
  surfaceClass: "platform_public",
11104
13751
  method: "GET",
11105
- path: "/topics",
11106
- sdkNamespace: "topics",
11107
- sdkMethod: "listTopics",
11108
- summary: "List topics.",
13752
+ path: "/nodes",
13753
+ sdkNamespace: "nodes",
13754
+ sdkMethod: "listEpistemicNodes",
13755
+ summary: "List generic epistemic graph nodes.",
11109
13756
  convex: {
11110
- module: "topics",
13757
+ module: "nodes",
11111
13758
  functionName: "list",
11112
- kind: "query"
11113
- }
13759
+ kind: "query",
13760
+ inputProjection: listNodesInput
13761
+ },
13762
+ args: listEpistemicNodesArgs
11114
13763
  }),
11115
13764
  surfaceContract({
11116
- name: "update_topic",
13765
+ name: "update_epistemic_node",
11117
13766
  kind: "mutation",
11118
- domain: "topics",
13767
+ domain: "nodes",
11119
13768
  surfaceClass: "platform_public",
11120
13769
  method: "PATCH",
11121
- path: "/topics",
11122
- sdkNamespace: "topics",
11123
- sdkMethod: "updateTopic",
11124
- summary: "Update a topic.",
13770
+ path: "/nodes",
13771
+ sdkNamespace: "nodes",
13772
+ sdkMethod: "updateEpistemicNode",
13773
+ summary: "Update a generic epistemic graph node.",
11125
13774
  convex: {
11126
- module: "topics",
13775
+ module: "nodes",
11127
13776
  functionName: "update",
11128
13777
  kind: "mutation",
11129
- inputProjection: updateTopicInput
13778
+ inputProjection: updateNodeInput
11130
13779
  },
11131
- args: updateTopicArgs
13780
+ args: updateEpistemicNodeArgs
11132
13781
  }),
11133
13782
  surfaceContract({
11134
- name: "get_topic_tree",
11135
- kind: "query",
11136
- domain: "topics",
13783
+ name: "archive_epistemic_node",
13784
+ kind: "mutation",
13785
+ domain: "nodes",
11137
13786
  surfaceClass: "platform_public",
11138
- method: "GET",
11139
- path: "/topics/tree",
11140
- sdkNamespace: "topics",
11141
- sdkMethod: "getTopicTree",
11142
- summary: "Get a topic tree.",
13787
+ path: "/nodes/archive",
13788
+ sdkNamespace: "nodes",
13789
+ sdkMethod: "archiveEpistemicNode",
13790
+ summary: "Archive a generic epistemic graph node.",
11143
13791
  convex: {
11144
- module: "topics",
11145
- functionName: "getTree",
11146
- kind: "query"
11147
- }
13792
+ module: "nodes",
13793
+ functionName: "archive",
13794
+ kind: "mutation",
13795
+ inputProjection: archiveNodeInput
13796
+ },
13797
+ args: archiveEpistemicNodeArgs
13798
+ }),
13799
+ surfaceContract({
13800
+ name: "verify_epistemic_node",
13801
+ kind: "mutation",
13802
+ domain: "nodes",
13803
+ surfaceClass: "platform_public",
13804
+ path: "/nodes/verify",
13805
+ sdkNamespace: "nodes",
13806
+ sdkMethod: "verifyEpistemicNode",
13807
+ summary: "Verify a generic epistemic graph node.",
13808
+ convex: {
13809
+ module: "nodes",
13810
+ functionName: "verify",
13811
+ kind: "mutation",
13812
+ inputProjection: verifyNodeInput
13813
+ },
13814
+ args: verifyEpistemicNodeArgs
13815
+ }),
13816
+ surfaceContract({
13817
+ name: "supersede_epistemic_node",
13818
+ kind: "mutation",
13819
+ domain: "nodes",
13820
+ surfaceClass: "platform_public",
13821
+ path: "/nodes/supersede",
13822
+ sdkNamespace: "nodes",
13823
+ sdkMethod: "supersedeEpistemicNode",
13824
+ summary: "Supersede a generic epistemic graph node.",
13825
+ convex: {
13826
+ module: "nodes",
13827
+ functionName: "supersede",
13828
+ kind: "mutation",
13829
+ inputProjection: supersedeNodeInput
13830
+ },
13831
+ args: supersedeEpistemicNodeArgs
13832
+ }),
13833
+ surfaceContract({
13834
+ name: "batch_create_epistemic_nodes",
13835
+ kind: "mutation",
13836
+ domain: "nodes",
13837
+ surfaceClass: "platform_public",
13838
+ path: "/nodes/batch",
13839
+ sdkNamespace: "nodes",
13840
+ sdkMethod: "batchCreateEpistemicNodes",
13841
+ summary: "Batch create generic epistemic graph nodes.",
13842
+ convex: {
13843
+ module: "nodes",
13844
+ functionName: "batchCreate",
13845
+ kind: "mutation",
13846
+ inputProjection: batchCreateNodesInput
13847
+ },
13848
+ args: batchCreateEpistemicNodesArgs
11148
13849
  })
11149
13850
  ];
11150
13851
  var lensPerspectiveSchema = z.enum([
@@ -11504,6 +14205,19 @@ var worktreeEvidenceSignalInputSchema = z.object({
11504
14205
  progress: z.string().optional().describe("Collection progress note for the signal."),
11505
14206
  notes: z.string().optional().describe("Additional evidence collection notes.")
11506
14207
  }).passthrough().describe("Evidence signal embedded in the worktree plan.");
14208
+ var worktreeDocCompanionTargetSchema = z.object({
14209
+ docPath: z.string().describe(
14210
+ "Repo-relative path to a documentation file the worktree promises to update."
14211
+ ),
14212
+ sectionAnchor: z.string().optional().describe(
14213
+ "Markdown heading anchor (e.g. '## Function-surface manifest') that scopes the promised update."
14214
+ ),
14215
+ reason: z.string().describe(
14216
+ "Why this doc section must be updated for the worktree to be complete."
14217
+ )
14218
+ }).passthrough().describe(
14219
+ "Intent-driven docs companion target. pr-gate-reviewer verifies that the PR actually touches each declared (docPath, sectionAnchor). Distinct from the touch-driven docs-loop. See docs/development/docs-sync-discipline.md Lock 3."
14220
+ );
11507
14221
  var worktreeDecisionGateInputSchema = z.object({
11508
14222
  goCriteria: z.array(z.string()).describe("Criteria that must hold for the worktree to proceed."),
11509
14223
  noGoSignals: z.array(z.string()).describe("Signals that stop or redirect the worktree."),
@@ -11536,6 +14250,9 @@ var addWorktreeArgs = z.object({
11536
14250
  keyQuestions: z.array(worktreeKeyQuestionInputSchema).optional().describe("Inline key questions captured as part of the worktree plan."),
11537
14251
  evidenceSignals: z.array(worktreeEvidenceSignalInputSchema).optional().describe("Evidence signals the worktree needs to collect or validate."),
11538
14252
  decisionGate: worktreeDecisionGateInputSchema.optional(),
14253
+ docCompanionTargets: z.array(worktreeDocCompanionTargetSchema).optional().describe(
14254
+ "Doc sections the worktree promises to update at PR time. Enforced by pr-gate-reviewer (Lock 3)."
14255
+ ),
11539
14256
  goCriteria: z.array(z.string()).optional().describe("Shorthand go criteria used to build decisionGate."),
11540
14257
  noGoSignals: z.array(z.string()).optional().describe("Shorthand no-go signals used to build decisionGate."),
11541
14258
  proofArtifacts: z.array(z.unknown()).optional().describe("Expected proof artifacts required to close the worktree."),
@@ -11899,7 +14616,21 @@ var createTaskArgs = z.object({
11899
14616
  linkedQuestionId: z.string().optional().describe("Question this task addresses."),
11900
14617
  assigneeId: z.string().optional().describe("Principal assigned to the task."),
11901
14618
  dueDate: z.number().optional().describe("Due date as epoch milliseconds."),
11902
- tags: z.array(z.string()).optional().describe("Free-form tags.")
14619
+ tags: z.array(z.string()).optional().describe("Free-form tags."),
14620
+ metadata: z.record(z.unknown()).optional().describe("Structured task metadata for handoff context and routing hints.")
14621
+ });
14622
+ var updateTaskArgs = z.object({
14623
+ taskId: z.string().describe("Task to update."),
14624
+ title: z.string().optional().describe("Updated task title."),
14625
+ description: z.string().optional().describe("Updated task description."),
14626
+ priority: taskPrioritySchema.optional().describe("Updated priority."),
14627
+ status: taskStatusSchema2.optional().describe("Updated status."),
14628
+ linkedWorktreeId: z.string().optional().describe("Worktree this task belongs to."),
14629
+ linkedBeliefId: z.string().optional().describe("Belief this task supports."),
14630
+ linkedQuestionId: z.string().optional().describe("Question this task addresses."),
14631
+ assigneeId: z.string().optional().describe("Principal assigned to the task."),
14632
+ blockedReason: z.string().optional().describe("Reason the task is blocked or deferred."),
14633
+ metadata: z.record(z.unknown()).optional().describe("Structured task metadata for handoff context and routing hints.")
11903
14634
  });
11904
14635
  var createTaskInput = (input) => compactRecord4({
11905
14636
  title: input.title,
@@ -11913,7 +14644,8 @@ var createTaskInput = (input) => compactRecord4({
11913
14644
  linkedQuestionId: input.linkedQuestionId,
11914
14645
  assigneeId: input.assigneeId,
11915
14646
  dueDate: input.dueDate,
11916
- tags: input.tags
14647
+ tags: input.tags,
14648
+ metadata: input.metadata
11917
14649
  });
11918
14650
  var taskInput = (input) => compactRecord4({
11919
14651
  ...input,
@@ -11930,8 +14662,7 @@ var taskTopicInput = (input) => {
11930
14662
  };
11931
14663
  var completeTaskInput = (input) => compactRecord4({
11932
14664
  taskId: input.taskId ?? input.id,
11933
- outputSummary: input.outputSummary ?? input.summary,
11934
- userId: input.userId
14665
+ outputSummary: input.outputSummary ?? input.summary
11935
14666
  });
11936
14667
  var tasksContracts = [
11937
14668
  surfaceContract({
@@ -11949,6 +14680,7 @@ var tasksContracts = [
11949
14680
  kind: "mutation",
11950
14681
  inputProjection: createTaskInput
11951
14682
  },
14683
+ gateway: { handler: "tasks.create" },
11952
14684
  args: createTaskArgs
11953
14685
  }),
11954
14686
  surfaceContract({
@@ -11967,6 +14699,7 @@ var tasksContracts = [
11967
14699
  kind: "query",
11968
14700
  inputProjection: taskTopicInput
11969
14701
  },
14702
+ gateway: { handler: "tasks.list" },
11970
14703
  args: listTasksInputSchema
11971
14704
  }),
11972
14705
  surfaceContract({
@@ -11984,7 +14717,9 @@ var tasksContracts = [
11984
14717
  functionName: "update",
11985
14718
  kind: "mutation",
11986
14719
  inputProjection: taskInput
11987
- }
14720
+ },
14721
+ gateway: { handler: "tasks.update" },
14722
+ args: updateTaskArgs
11988
14723
  }),
11989
14724
  surfaceContract({
11990
14725
  name: "complete_task",
@@ -12000,12 +14735,14 @@ var tasksContracts = [
12000
14735
  functionName: "complete",
12001
14736
  kind: "mutation",
12002
14737
  inputProjection: completeTaskInput
12003
- }
14738
+ },
14739
+ gateway: { handler: "tasks.complete" }
12004
14740
  })
12005
14741
  ];
12006
14742
  var CREATE_EDGE_TYPES = edgePolicyManifest.policies.map(
12007
14743
  (policy) => policy.edgeType
12008
14744
  );
14745
+ var REASONING_METHOD_TYPES = [...REASONING_METHODS];
12009
14746
  var createEdgeArgs = z.object({
12010
14747
  from: GraphRefSchema,
12011
14748
  to: GraphRefSchema,
@@ -12015,10 +14752,37 @@ var createEdgeArgs = z.object({
12015
14752
  confidence: z.number().optional(),
12016
14753
  context: z.string().optional(),
12017
14754
  reasoning: z.string().optional(),
14755
+ reasoningMethod: z.enum(REASONING_METHOD_TYPES).optional(),
12018
14756
  derivationType: z.string().optional(),
14757
+ metadata: z.record(z.unknown()).optional(),
12019
14758
  topicId: z.string().optional(),
12020
14759
  trustedBypassAccessCheck: z.boolean().optional()
12021
14760
  });
14761
+ var updateEdgeArgs = z.object({
14762
+ edgeId: z.string().describe("Edge ID or global ID."),
14763
+ weight: z.number().optional(),
14764
+ confidence: z.number().optional(),
14765
+ context: z.string().optional(),
14766
+ reasoning: z.string().optional(),
14767
+ derivationType: z.string().optional(),
14768
+ metadata: z.record(z.unknown()).optional(),
14769
+ userId: z.string().optional()
14770
+ });
14771
+ var removeEdgeArgs = z.object({
14772
+ edgeId: z.string().describe("Edge ID or global ID."),
14773
+ userId: z.string().optional()
14774
+ });
14775
+ var removeEdgesBetweenArgs = z.object({
14776
+ from: GraphRefSchema.optional(),
14777
+ to: GraphRefSchema.optional(),
14778
+ fromNodeId: z.string().optional(),
14779
+ toNodeId: z.string().optional(),
14780
+ edgeType: z.enum(CREATE_EDGE_TYPES).optional()
14781
+ });
14782
+ var batchCreateEdgesArgs = z.object({
14783
+ edges: z.array(createEdgeArgs),
14784
+ skipLayerValidation: z.boolean().optional()
14785
+ });
12022
14786
  var queryLineageArgs = z.object({
12023
14787
  nodeId: z.string().describe("Starting node to trace from."),
12024
14788
  startNode: z.string().optional().describe("Starting node alias accepted by traversal callers."),
@@ -12067,7 +14831,9 @@ var edgesContracts = [
12067
14831
  weight: parsed.weight,
12068
14832
  confidence: parsed.confidence,
12069
14833
  context: parsed.context ?? parsed.reasoning,
14834
+ reasoningMethod: parsed.reasoningMethod,
12070
14835
  derivationType: parsed.derivationType,
14836
+ metadata: parsed.metadata,
12071
14837
  skipLayerValidation: true,
12072
14838
  topicId: parsed.topicId,
12073
14839
  trustedBypassAccessCheck: parsed.trustedBypassAccessCheck
@@ -12078,6 +14844,131 @@ var edgesContracts = [
12078
14844
  },
12079
14845
  args: createEdgeArgs
12080
14846
  }),
14847
+ surfaceContract({
14848
+ name: "update_edge",
14849
+ kind: "mutation",
14850
+ domain: "edges",
14851
+ surfaceClass: "platform_public",
14852
+ method: "PATCH",
14853
+ path: "/edges",
14854
+ sdkNamespace: "edges",
14855
+ sdkMethod: "updateEdge",
14856
+ summary: "Update an epistemic edge.",
14857
+ convex: {
14858
+ module: "edges",
14859
+ functionName: "update",
14860
+ kind: "mutation",
14861
+ inputProjection: (input, context) => compactRecord4({
14862
+ edgeId: input.edgeId,
14863
+ weight: input.weight,
14864
+ confidence: input.confidence,
14865
+ context: input.context ?? input.reasoning,
14866
+ derivationType: input.derivationType,
14867
+ metadata: input.metadata,
14868
+ userId: input.userId ?? context.userId ?? context.principalId
14869
+ })
14870
+ },
14871
+ args: updateEdgeArgs
14872
+ }),
14873
+ surfaceContract({
14874
+ name: "remove_edge",
14875
+ kind: "mutation",
14876
+ domain: "edges",
14877
+ surfaceClass: "platform_public",
14878
+ method: "DELETE",
14879
+ path: "/edges",
14880
+ sdkNamespace: "edges",
14881
+ sdkMethod: "removeEdge",
14882
+ summary: "Remove an epistemic edge.",
14883
+ convex: {
14884
+ module: "edges",
14885
+ functionName: "remove",
14886
+ kind: "mutation",
14887
+ inputProjection: (input, context) => compactRecord4({
14888
+ edgeId: input.edgeId,
14889
+ userId: input.userId ?? context.userId ?? context.principalId
14890
+ })
14891
+ },
14892
+ args: removeEdgeArgs
14893
+ }),
14894
+ surfaceContract({
14895
+ name: "remove_edges_between",
14896
+ kind: "mutation",
14897
+ domain: "edges",
14898
+ surfaceClass: "platform_public",
14899
+ method: "DELETE",
14900
+ path: "/edges/between",
14901
+ sdkNamespace: "edges",
14902
+ sdkMethod: "removeEdgesBetween",
14903
+ summary: "Remove epistemic edges between two nodes.",
14904
+ convex: {
14905
+ module: "edges",
14906
+ functionName: "removeBetween",
14907
+ kind: "mutation",
14908
+ inputProjection: (input) => {
14909
+ const parsed = removeEdgesBetweenArgs.parse(input);
14910
+ const fromNodeId = parsed.from ? graphRefNodeId(parsed.from) : parsed.fromNodeId;
14911
+ const toNodeId = parsed.to ? graphRefNodeId(parsed.to) : parsed.toNodeId;
14912
+ if (!fromNodeId || !toNodeId) {
14913
+ throw new Error("from/to or fromNodeId/toNodeId are required.");
14914
+ }
14915
+ return compactRecord4({
14916
+ fromNodeId,
14917
+ toNodeId,
14918
+ edgeType: parsed.edgeType
14919
+ });
14920
+ }
14921
+ },
14922
+ args: removeEdgesBetweenArgs
14923
+ }),
14924
+ surfaceContract({
14925
+ name: "batch_create_edges",
14926
+ kind: "mutation",
14927
+ domain: "edges",
14928
+ surfaceClass: "platform_public",
14929
+ path: "/edges/batch",
14930
+ sdkNamespace: "edges",
14931
+ sdkMethod: "batchCreateEdges",
14932
+ summary: "Batch create epistemic edges.",
14933
+ convex: {
14934
+ module: "edges",
14935
+ functionName: "batchCreate",
14936
+ kind: "mutation",
14937
+ inputProjection: (input, context) => {
14938
+ const parsed = batchCreateEdgesArgs.parse(input);
14939
+ return {
14940
+ skipLayerValidation: parsed.skipLayerValidation ?? true,
14941
+ edges: parsed.edges.map((edge) => {
14942
+ assertEdgePolicyAllowed(
14943
+ edgePolicyManifest,
14944
+ edge.edgeType,
14945
+ edge.from,
14946
+ edge.to
14947
+ );
14948
+ const fromNodeId = graphRefNodeId(edge.from);
14949
+ const toNodeId = graphRefNodeId(edge.to);
14950
+ return withCreatedBy(
14951
+ compactRecord4({
14952
+ fromNodeId,
14953
+ toNodeId,
14954
+ edgeType: edge.edgeType,
14955
+ globalId: edge.globalId ?? `edge:${fromNodeId}:${toNodeId}:${edge.edgeType}`,
14956
+ weight: edge.weight,
14957
+ confidence: edge.confidence,
14958
+ context: edge.context ?? edge.reasoning,
14959
+ reasoningMethod: edge.reasoningMethod,
14960
+ derivationType: edge.derivationType,
14961
+ metadata: edge.metadata,
14962
+ topicId: edge.topicId
14963
+ }),
14964
+ context
14965
+ );
14966
+ })
14967
+ };
14968
+ }
14969
+ },
14970
+ args: batchCreateEdgesArgs
14971
+ }),
12081
14972
  surfaceContract({
12082
14973
  name: "query_lineage",
12083
14974
  kind: "query",
@@ -12800,6 +15691,69 @@ var pipelineContracts = [
12800
15691
  }
12801
15692
  })
12802
15693
  ];
15694
+ function isRecord3(value) {
15695
+ return Boolean(value) && typeof value === "object" && !Array.isArray(value);
15696
+ }
15697
+ function stringValues(value) {
15698
+ if (typeof value === "string") {
15699
+ return [value];
15700
+ }
15701
+ if (Array.isArray(value)) {
15702
+ return value.flatMap((item) => stringValues(item));
15703
+ }
15704
+ return [];
15705
+ }
15706
+ function nestedEvidenceRows(value) {
15707
+ if (Array.isArray(value)) {
15708
+ return value.flatMap((item) => nestedEvidenceRows(item));
15709
+ }
15710
+ if (!isRecord3(value)) {
15711
+ return [];
15712
+ }
15713
+ const nestedKeys = ["evidence", "items", "nodes"];
15714
+ const nestedRows = nestedKeys.flatMap((key) => nestedEvidenceRows(value[key]));
15715
+ return nestedRows.length > 0 ? nestedRows : [value];
15716
+ }
15717
+ function isFailedAttemptRow(row) {
15718
+ const metadata = isRecord3(row.metadata) ? row.metadata : null;
15719
+ return metadata?.failedApproach === true || metadata?.isFailedAttempt === true;
15720
+ }
15721
+ function failureLogSearchFields(row) {
15722
+ const metadata = isRecord3(row.metadata) ? row.metadata : null;
15723
+ return [
15724
+ ...stringValues(row.id),
15725
+ ...stringValues(row._id),
15726
+ ...stringValues(row.title),
15727
+ ...stringValues(row.text),
15728
+ ...stringValues(row.canonicalText),
15729
+ ...stringValues(row.content),
15730
+ ...stringValues(metadata?.codeAnchor),
15731
+ ...stringValues(metadata?.codeAnchors),
15732
+ ...stringValues(metadata?.anchor),
15733
+ ...stringValues(metadata?.anchors),
15734
+ ...stringValues(metadata?.filePath),
15735
+ ...stringValues(metadata?.filePaths),
15736
+ ...stringValues(metadata?.path),
15737
+ ...stringValues(metadata?.paths),
15738
+ ...stringValues(metadata?.sourceRef),
15739
+ ...stringValues(metadata?.touchedPaths)
15740
+ ];
15741
+ }
15742
+ function projectFailureLog(output, input) {
15743
+ const rawQuery = typeof input.query === "string" && input.query.trim().length > 0 ? input.query.trim() : void 0;
15744
+ const searchKey = rawQuery?.toLowerCase();
15745
+ const failures = nestedEvidenceRows(output).filter((row) => isFailedAttemptRow(row)).filter(
15746
+ (row) => !searchKey ? true : failureLogSearchFields(row).some(
15747
+ (field) => field.toLowerCase().includes(searchKey)
15748
+ )
15749
+ );
15750
+ return {
15751
+ query: rawQuery,
15752
+ failures,
15753
+ totalFound: failures.length,
15754
+ showing: failures.length
15755
+ };
15756
+ }
12803
15757
  var recordScopeLearningArgs = z.object({
12804
15758
  topicId: z.string().optional().describe("Topic scope ID"),
12805
15759
  summary: z.string().describe("Atomic learning statement"),
@@ -12889,6 +15843,8 @@ var attemptInput = (input, context) => withUserId(
12889
15843
  tags: ["code_attempt"],
12890
15844
  metadata: compactRecord4({
12891
15845
  ...recordValue2(input.metadata),
15846
+ failedApproach: true,
15847
+ isFailedAttempt: true,
12892
15848
  filePaths: input.filePaths,
12893
15849
  filePath: input.filePath,
12894
15850
  errorMessage: input.errorMessage,
@@ -13019,7 +15975,8 @@ var codingContracts = [
13019
15975
  limit: input.limit,
13020
15976
  status: input.status,
13021
15977
  userId: input.userId
13022
- })
15978
+ }),
15979
+ outputProjection: (output, input) => projectFailureLog(output, input)
13023
15980
  }
13024
15981
  })
13025
15982
  ];
@@ -13056,6 +16013,7 @@ var ALL_FUNCTION_CONTRACTS = [
13056
16013
  ...evidenceContracts,
13057
16014
  ...questionsContracts,
13058
16015
  ...topicsContracts,
16016
+ ...nodesContracts,
13059
16017
  ...lensesContracts,
13060
16018
  ...ontologiesContracts,
13061
16019
  ...worktreesContracts,
@@ -13231,6 +16189,13 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13231
16189
  copyMode: "none",
13232
16190
  description: "Deliberation sessions are created by tenant workflows."
13233
16191
  },
16192
+ {
16193
+ component: "kernel",
16194
+ table: "domainEvents",
16195
+ prepopulation: "runtime_log",
16196
+ copyMode: "none",
16197
+ description: "Domain event rows are append-only runtime audit/exhaust data."
16198
+ },
13234
16199
  {
13235
16200
  component: "kernel",
13236
16201
  table: "epistemicAudit",
@@ -13480,14 +16445,14 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13480
16445
  description: "Worktrees are tenant/runtime planning data."
13481
16446
  },
13482
16447
  {
13483
- component: "identity",
16448
+ component: "control-plane",
13484
16449
  table: "agents",
13485
16450
  prepopulation: "runtime_bootstrap",
13486
16451
  copyMode: "none",
13487
16452
  description: "Service agents are provisioned per tenant or service, not copied."
13488
16453
  },
13489
16454
  {
13490
- component: "identity",
16455
+ component: "control-plane",
13491
16456
  table: "mcpWritePolicy",
13492
16457
  prepopulation: "required_template",
13493
16458
  copyMode: "template_global",
@@ -13496,14 +16461,14 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13496
16461
  description: "Global write policy defaults govern service and interactive MCP writes."
13497
16462
  },
13498
16463
  {
13499
- component: "identity",
16464
+ component: "control-plane",
13500
16465
  table: "modelCallLogs",
13501
16466
  prepopulation: "runtime_log",
13502
16467
  copyMode: "none",
13503
16468
  description: "Model call logs are runtime telemetry."
13504
16469
  },
13505
16470
  {
13506
- component: "identity",
16471
+ component: "control-plane",
13507
16472
  table: "modelFunctionSlots",
13508
16473
  prepopulation: "required_template",
13509
16474
  copyMode: "template_global",
@@ -13512,7 +16477,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13512
16477
  description: "Function-to-model slots are required by model runtime resolution."
13513
16478
  },
13514
16479
  {
13515
- component: "identity",
16480
+ component: "control-plane",
13516
16481
  table: "modelRegistry",
13517
16482
  prepopulation: "required_template",
13518
16483
  copyMode: "template_global",
@@ -13521,7 +16486,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13521
16486
  description: "Model catalog defaults are required by model runtime clients."
13522
16487
  },
13523
16488
  {
13524
- component: "identity",
16489
+ component: "control-plane",
13525
16490
  table: "modelSlotConfigs",
13526
16491
  prepopulation: "required_template",
13527
16492
  copyMode: "template_global",
@@ -13530,14 +16495,105 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13530
16495
  description: "Slot-level defaults are required before tenant overrides exist."
13531
16496
  },
13532
16497
  {
13533
- component: "identity",
16498
+ component: "control-plane",
16499
+ table: "permitAccessReviewItems",
16500
+ prepopulation: "runtime_data",
16501
+ copyMode: "none",
16502
+ description: "Permit access-review item rows are tenant review data projected from Permit."
16503
+ },
16504
+ {
16505
+ component: "control-plane",
16506
+ table: "permitAccessReviews",
16507
+ prepopulation: "runtime_data",
16508
+ copyMode: "none",
16509
+ description: "Permit access-review campaigns are tenant review data projected from Permit."
16510
+ },
16511
+ {
16512
+ component: "control-plane",
16513
+ table: "permitAttributeBindings",
16514
+ prepopulation: "runtime_data",
16515
+ copyMode: "none",
16516
+ description: "Permit ABAC attribute bindings are tenant policy projection rows."
16517
+ },
16518
+ {
16519
+ component: "control-plane",
16520
+ table: "permitGroups",
16521
+ prepopulation: "runtime_data",
16522
+ copyMode: "none",
16523
+ description: "Permit groups are tenant-defined policy subjects, not template data."
16524
+ },
16525
+ {
16526
+ component: "control-plane",
16527
+ table: "permitGroupMemberships",
16528
+ prepopulation: "runtime_data",
16529
+ copyMode: "none",
16530
+ description: "Permit group memberships are tenant-specific policy projection rows."
16531
+ },
16532
+ {
16533
+ component: "control-plane",
16534
+ table: "permitPolicyBundles",
16535
+ prepopulation: "runtime_derived",
16536
+ copyMode: "none",
16537
+ description: "Permit policy bundles are derived from the Permit control plane."
16538
+ },
16539
+ {
16540
+ component: "control-plane",
16541
+ table: "permitPolicyDecisionReceipts",
16542
+ prepopulation: "runtime_log",
16543
+ copyMode: "none",
16544
+ description: "Permit decision receipts are runtime authorization audit logs."
16545
+ },
16546
+ {
16547
+ component: "control-plane",
16548
+ table: "permitPrincipalAliases",
16549
+ prepopulation: "runtime_data",
16550
+ copyMode: "none",
16551
+ description: "Permit principal aliases are tenant-specific identity projection rows."
16552
+ },
16553
+ {
16554
+ component: "control-plane",
16555
+ table: "permitPrincipals",
16556
+ prepopulation: "runtime_data",
16557
+ copyMode: "none",
16558
+ description: "Permit principals are projected from Clerk, Permit, and tenant onboarding flows."
16559
+ },
16560
+ {
16561
+ component: "control-plane",
16562
+ table: "permitProjectionOutbox",
16563
+ prepopulation: "runtime_queue",
16564
+ copyMode: "none",
16565
+ description: "Permit projection outbox rows are runtime sync queue data."
16566
+ },
16567
+ {
16568
+ component: "control-plane",
16569
+ table: "permitRelationshipTuples",
16570
+ prepopulation: "runtime_data",
16571
+ copyMode: "none",
16572
+ description: "Permit ReBAC relationship tuples are tenant policy projection rows."
16573
+ },
16574
+ {
16575
+ component: "control-plane",
16576
+ table: "permitResourceInstances",
16577
+ prepopulation: "runtime_data",
16578
+ copyMode: "none",
16579
+ description: "Permit resource instances are tenant/workspace graph and deployment projection rows."
16580
+ },
16581
+ {
16582
+ component: "control-plane",
16583
+ table: "permitRoleAssignments",
16584
+ prepopulation: "runtime_data",
16585
+ copyMode: "none",
16586
+ description: "Permit role assignments are tenant-specific policy projection rows."
16587
+ },
16588
+ {
16589
+ component: "control-plane",
13534
16590
  table: "platformAudienceGrants",
13535
16591
  prepopulation: "runtime_data",
13536
16592
  copyMode: "none",
13537
16593
  description: "Audience grants are principal/group-specific access rows."
13538
16594
  },
13539
16595
  {
13540
- component: "identity",
16596
+ component: "control-plane",
13541
16597
  table: "platformAudiences",
13542
16598
  prepopulation: "required_template",
13543
16599
  copyMode: "template_tenant_rewrite",
@@ -13546,35 +16602,35 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13546
16602
  description: "Default tenant audience taxonomy rows are rewritten into each tenant."
13547
16603
  },
13548
16604
  {
13549
- component: "identity",
16605
+ component: "control-plane",
13550
16606
  table: "platformPolicyDecisionLogs",
13551
16607
  prepopulation: "runtime_log",
13552
16608
  copyMode: "none",
13553
16609
  description: "Policy decisions are runtime audit logs."
13554
16610
  },
13555
16611
  {
13556
- component: "identity",
16612
+ component: "control-plane",
13557
16613
  table: "projectGrants",
13558
16614
  prepopulation: "runtime_data",
13559
16615
  copyMode: "none",
13560
16616
  description: "Project/topic grants are principal or group-specific access rows."
13561
16617
  },
13562
16618
  {
13563
- component: "identity",
16619
+ component: "control-plane",
13564
16620
  table: "reasoningPermissions",
13565
16621
  prepopulation: "runtime_data",
13566
16622
  copyMode: "none",
13567
16623
  description: "Reasoning permissions are principal-specific policy rows."
13568
16624
  },
13569
16625
  {
13570
- component: "identity",
16626
+ component: "control-plane",
13571
16627
  table: "tenantApiKeys",
13572
16628
  prepopulation: "runtime_secret",
13573
16629
  copyMode: "none",
13574
16630
  description: "API keys are tenant credentials and must never be copied."
13575
16631
  },
13576
16632
  {
13577
- component: "identity",
16633
+ component: "control-plane",
13578
16634
  table: "tenantConfig",
13579
16635
  prepopulation: "required_template",
13580
16636
  copyMode: "template_tenant_rewrite",
@@ -13583,7 +16639,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13583
16639
  description: "Tenant-local config defaults are rewritten during bootstrap."
13584
16640
  },
13585
16641
  {
13586
- component: "identity",
16642
+ component: "control-plane",
13587
16643
  table: "tenantIntegrations",
13588
16644
  prepopulation: "required_template",
13589
16645
  copyMode: "template_tenant_rewrite",
@@ -13592,14 +16648,21 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13592
16648
  description: "Non-secret integration descriptors are rewritten into each tenant."
13593
16649
  },
13594
16650
  {
13595
- component: "identity",
16651
+ component: "control-plane",
13596
16652
  table: "tenantModelSlotBindings",
13597
16653
  prepopulation: "runtime_secret",
13598
16654
  copyMode: "none",
13599
16655
  description: "Tenant model slot bindings reference provider secrets and are runtime-only."
13600
16656
  },
13601
16657
  {
13602
- component: "identity",
16658
+ component: "control-plane",
16659
+ table: "tenantPermitSyncStates",
16660
+ prepopulation: "runtime_derived",
16661
+ copyMode: "none",
16662
+ description: "Tenant Permit sync state rows are runtime reconciliation state."
16663
+ },
16664
+ {
16665
+ component: "control-plane",
13603
16666
  table: "tenantPolicies",
13604
16667
  prepopulation: "required_template",
13605
16668
  copyMode: "template_tenant_rewrite",
@@ -13608,42 +16671,42 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13608
16671
  description: "Default tenant policy roles are rewritten during bootstrap."
13609
16672
  },
13610
16673
  {
13611
- component: "identity",
16674
+ component: "control-plane",
13612
16675
  table: "tenantProviderSecrets",
13613
16676
  prepopulation: "runtime_secret",
13614
16677
  copyMode: "none",
13615
16678
  description: "Provider secrets are credentials and must never be copied."
13616
16679
  },
13617
16680
  {
13618
- component: "identity",
16681
+ component: "control-plane",
13619
16682
  table: "tenantProxyGatewayUsage",
13620
16683
  prepopulation: "runtime_log",
13621
16684
  copyMode: "none",
13622
16685
  description: "Proxy gateway usage rows are runtime telemetry."
13623
16686
  },
13624
16687
  {
13625
- component: "identity",
16688
+ component: "control-plane",
13626
16689
  table: "tenantProxyTokenMints",
13627
16690
  prepopulation: "runtime_secret",
13628
16691
  copyMode: "none",
13629
16692
  description: "Proxy token mints are ephemeral secret-bearing runtime rows."
13630
16693
  },
13631
16694
  {
13632
- component: "identity",
16695
+ component: "control-plane",
13633
16696
  table: "tenantSandboxAuditEvents",
13634
16697
  prepopulation: "runtime_log",
13635
16698
  copyMode: "none",
13636
16699
  description: "Sandbox audit rows are runtime security logs."
13637
16700
  },
13638
16701
  {
13639
- component: "identity",
16702
+ component: "control-plane",
13640
16703
  table: "tenantSecrets",
13641
16704
  prepopulation: "runtime_secret",
13642
16705
  copyMode: "none",
13643
16706
  description: "Tenant secrets are credentials and must never be copied."
13644
16707
  },
13645
16708
  {
13646
- component: "identity",
16709
+ component: "control-plane",
13647
16710
  table: "toolAcls",
13648
16711
  prepopulation: "required_template",
13649
16712
  copyMode: "template_global",
@@ -13652,7 +16715,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13652
16715
  description: "Default role-to-tool grants are required for SDK/MCP tool access."
13653
16716
  },
13654
16717
  {
13655
- component: "identity",
16718
+ component: "control-plane",
13656
16719
  table: "toolRegistry",
13657
16720
  prepopulation: "required_template",
13658
16721
  copyMode: "template_global",
@@ -13661,7 +16724,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13661
16724
  description: "Core tool catalog rows are required before pack or tenant tools exist."
13662
16725
  },
13663
16726
  {
13664
- component: "identity",
16727
+ component: "control-plane",
13665
16728
  table: "users",
13666
16729
  prepopulation: "runtime_bootstrap",
13667
16730
  copyMode: "none",